Re: IDNA and security
* Joey Hess:
> Florian Weimer wrote:
>> People are filing security bugs because of the homograph issue. But
>> is this a real security problem? Do you think we should change our
>> fonts so that 1, l and I (and O and 0, of course) are more different
>> visually?
>
> That misses part of the point of the homograph issue, which is that
> besides characters that look confusingly alike, unicode contains
> charaters that are *identical*, except for being in a different code
> pages. See http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf
I've written about these issues four years ago. I still don't think
they are a security problem, given the way DNS TLDs and the browser
CAs operate.
There are fonts in which "l" and "I" are *identical* (Gill Sans is an
example, IIRC).
> FWIW, I've filed the bugs I did on this issue at normal priority,
> because it was not at all clear to me that the bug meets the criteria
> for being release critical, since the actual bug is in the basic design
> of unicode domain names, in the lacking procedures of the CAs and
> registrars who do not check for homograph issues, and in the overall
> design of so-called ecommerce "security". Any fixes in the packages can
> at best only be heuristics and workarounds, and will likely just lead to
> an escalating arms race if this problem is worth exploiting.
Oh, in this case, our opinions on this matter aren't too different
after all.
Reply to: