Jargons of Info Tech industry

Tim Tyler tim at tt1lock.org
Tue Oct 18 03:40:26 EDT 2005 

In comp.lang.java.programmer Paul Rubin <http://phr.cx@nospam.invalid> wrote or quoted:
> Tim Tyler <tim at tt1lock.org> writes:

> > Are there any examples of HTML email causing security problems - outside
> > of Microsoft's software?
> 
> There was a pretty good one that went something like
> 
>   Click this link to download latest security patch!
>    <a href=http://www.mxxxxxx.com.....>Microsoft Security Center</a>
> 
> where "mxxxxxx" is "microsoft" with the letter "i" replaced by some
> exotic Unicode character that looks exactly like an ascii "i" in normal 
> screen fonts.  The attacker had of course registered that domain and
> put evil stuff there.

I didn't think unicode domain names existed.

It seems that they are in the pipeline:

``After much debate and many competing proposals, a system called 
  Internationalizing Domain Names in Applications (IDNA) was adopted as 
  the chosen standard, and is currently, as of 2005, in the process of 
  being rolled out.''

 - http://en.wikipedia.org/wiki/Internationalized_domain_names

It looks like the security issues are probably going to be dealt
with via technical fixes:

``On February 17, 2005, Mozilla developers announced that they would ship 
  their next versions of their software with IDN support still enabled, 
  but showing the punycode URLs instead, thus thwarting any attacks while 
  still allowing people to access websites on an IDN domain. This is a 
  change from the earlier plans to disable IDN entirely for the time 
  being.''

 - http://en.wikipedia.org/wiki/Internationalized_domain_names

Anyway, I'm inclined to suggest this is a DNS problem.  It would
apply to any format that allowed rendering of domain names using
the unicode character set they are intended to be displayed using.

Even without unicode, the "homograph attack" is still viable, due
to things like the "l"/"I" issue in many fonts - as pointed out on:

http://www.centr.org/docs/2005/02/homographs.html
-- 
__________
 |im |yler  http://timtyler.org/  tim at tt1lock.org  Remove lock to reply.

More information about the Python-list mailing list