W3C home > Mailing lists > Public > public-iri@w3.org > February 2010

Re: spoofing and IRIs

From: Maciej Stachowiak <mjs@apple.com>
Date: Sun, 28 Feb 2010 10:16:40 -0800
Cc: public-iri@w3.org
Message-id: <A9A9BDF5-58F1-4262-AC6D-58E36E97A390@apple.com>
To: Larry Masinter <LMM@acm.org>

On Feb 27, 2010, at 9:19 PM, Larry Masinter wrote:

> (resending after fixing access problem)
>
> Right now, the “Security Considerations” section of http://tools.ietf.org/html/draft-ietf-iri-3987bis-00#section-10 
>   contains a relatively short discussion of the issues around  
> spoofing.
>
> I’d like to replace most of that section with a summary and a  
> pointer to the Unicode Technical Report #36
>
> http://unicode.org/reports/tr36/tr36-8.html
>
> which expands the discussion quite a bit.  I think a summary might  
> be the form:
>
> =============draft============
> There are serious difficulties with  relying on a human to verify  
> that a presentation of an IRI to them  (whether visually or read out  
> loud) is the same as another identifier or is the one intended.  
> These problems exist with ASCII-only URIs (bl00mberg.com vs. bloomberg.com 
> ) but are enormously exacerbated when using  the larger character  
> repertoire of Unicode; these problems are elaborated in [UTR#36].   
> There seems to be little hope of relying on either administrative or  
> technical means to reduce the availability of such exploits, to the  
> extent that user agents SHOULD NOT relying on visual or perceptual  
> comparison or verification of IRIs as any means of validating or  
> assuring safety, correctness or appropriateness of an IRI.
>
> [UTR#36] also identifies additional security considerations that are  
> applicable to IRIs.
>
>  ======draft============
>
>
> Basically, I want to push the issue of Spoofing in IRIs to another  
> document.
>
> Thoughts?
>
> Comments?

I think there's one piece of your summary that is oddly stated: "...  
to the extent that user agents SHOULD NOT relying on visual or  
perceptual comparison or verification of IRIs as any means of  
validating or assuring safety". User agents don't do any visual  
comparisons of IRIs directly for their own purposes, they do character- 
by-character comparisons. The problem is with users themselves, not  
user agents, doing visual comparisons. Also, while UTR#36 has many  
specific suggestions for improving IRI security, they are not all for  
user agents. Some are recommendations for procedures when registering  
domain names. The UA recommendations do not amount to completely  
removing the user's reliance on visual comparison, although they may  
somewhat mitigate the risk of showing the user certain kinds of  
visually confusable URIs. I'm not sure the recommendations of UTR#36  
can be summarized adequately in a short paragraph.

Regards,
Maciej
Received on Sunday, 28 February 2010 18:17:15 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 20:39:41 UTC