Re: [charmodReview-17] "security problems" with Unicode homographs

Hello Chris,

I'm aware of attacks like these (including the Gabrilovich paper)
for quite a while. I plan to discuss these and other security
problems in more details in the next IRI draft. Also, the IDNA
draft(s) (multilingual domain names) discuss this at quite some
length, because some of this is very domain-name specific rather
than IRI-specific.

As for mentioning this in charmod, on what level/in what place
do you think this should be done? I don't think it should
go into section 8, because that basically assumes that one
reads the IRI spec. But a note in section 7 (string identity
may be appropriate.

What do you think?

Regards,    Martin.

At 17:24 02/05/29 +0200, Chris Lilley wrote:

>Hello www-tag,
>  Slashdot has picked up a paper from Communications of the ACM about
>  URL spoofing using Unicode characters. Aparently a research team
>  registered a domain name that looked like "" but used
>  two cyrillic letters for "c" and "o". (Not sure how they would do
>  that, since AFAIK domain names are still ascii). Anyway I thought
>  that "security" aspect could be mentioned, perhaps, in charmod.
>  Chris                

Received on Wednesday, 5 June 2002 01:18:01 UTC