[Pkg-kde-bugs-fwd] [Bug 98788] Possible solution to IDN domain spoofing/phising

[Peter Thomassen]

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=98788         




------- Additional Comments From info peter-thomassen de  2005-03-28 21:46 -------
Referring to both comment #51 and comment #52:

Good idea, but I think charset-based character checks are better because German speakers (ISO-8859-1, Latin-1) usually don't use Celtic characters (ISO-8859-14, Latin-8) and vice versa, even though both charsets are Latin-based; there shouldn't be any need to mix charsets up. In this case, we really could avoid confusion because of an accent.

Section-wise charset mixing is good, but imagine h-p.com (Hewlett-Packard) is registered again using another charset for one or both characters. See below.

Configurability:
- Checkbox to enable IDN protection and show the other options (activated by default).

- Select list to activate one or more charsets, preventing attacks onto domain names that can be imitated using a single charset. By default, only enable the charset according to the localization used. Since pure ASCII always is allowed, it is not included in the charset list. UTF-8 isn't, too, because it would disable IDN protection.

- Radio boxes to allow mixture of charsets
  * never (default, this is most secure)
  * section-wise
  * level-wise (subdomain-wise)

- Maybe a checkbox to enable either only letters (default), or the whole charset (including punctuation and special symbols). Although this actually is a registry task, we shouldn't trust them ... they can change.

If the last option is not implemented (allowing the whole charset), checks are simple: Just try to convert from UTF-8 to one of the good charsets. If this fails, trigger a warning.