W3C home > Mailing lists > Public > www-tag@w3.org > June 2002

Re: [charmodReview-17] "security problems" with Unicode homographs

From: Martin Duerst <duerst@w3.org>
Date: Wed, 05 Jun 2002 14:16:19 +0900
Message-Id: <4.2.0.58.J.20020604113325.03d46d28@localhost>
To: Chris Lilley <chris@w3.org>, www-tag@w3.org

Hello Chris,

I'm aware of attacks like these (including the Gabrilovich paper)
for quite a while. I plan to discuss these and other security
problems in more details in the next IRI draft. Also, the IDNA
draft(s) (multilingual domain names) discuss this at quite some
length, because some of this is very domain-name specific rather
than IRI-specific.

As for mentioning this in charmod, on what level/in what place
do you think this should be done? I don't think it should
go into section 8, because that basically assumes that one
reads the IRI spec. But a note in section 7 (string identity
matching,
http://www.w3.org/TR/2002/WD-charmod-20020430/#sec-IdentityMatching)
may be appropriate.

What do you think?

Regards,    Martin.

At 17:24 02/05/29 +0200, Chris Lilley wrote:

>Hello www-tag,
>
>  Slashdot has picked up a paper from Communications of the ACM about
>  URL spoofing using Unicode characters. Aparently a research team
>  registered a domain name that looked like "microsoft.com" but used
>  two cyrillic letters for "c" and "o". (Not sure how they would do
>  that, since AFAIK domain names are still ascii). Anyway I thought
>  that "security" aspect could be mentioned, perhaps, in charmod.
>
>  http://slashdot.org/articles/02/05/28/0142248.shtml?tid=172
>
>--
>  Chris                          mailto:chris@w3.org
Received on Wednesday, 5 June 2002 01:18:01 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:55:52 UTC