Data on confusables

John C Klensin klensin at jck.com
Thu Jul 30 13:06:52 CEST 2009 

--On Thursday, July 30, 2009 11:24 +0100 Gervase Markham
<gerv at mozilla.org> wrote:

> On 30/07/09 00:13, Mark Davis ⌛ wrote:
>> I don't think that IDNA2008 will change much regarding
>> spoofing. Some registries may be bound by the terms of
>> IDNA2008, but most will not be. They could chose to abide by
>> it strictly, or they could allow characters like HEART if
>> they are in demand, or for compatibility with IDNA2003.
> 
> They could, but if none of the browsers render it, I suspect
> they won't.

And that has been an important part of our thinking.   Based on
his comments in the past, I think Mark predicts that browsers
will be under user (or page  author) pressure to render these
things and that they will do so in response to that pressure.
You are predicting that at least some of them will hold the line
in the interest of security and user protection.   Mark has
predicted in prior notes that, if any browser renders
IDNA2008-prohibited characters all will need to do so because of
competitive pressure.  Others of us believe that some will be
happy to have browsers that leave users less subject to attacks
than their competitors.   We will just have to see how that
sorts itself out.

>> Conversely, the client side can't depend on the registries'
>> all doing "the right thing", and will need to supply their
>> own tests for spoofing; and for them as well, excluding
>> symbols or checking for CONTEXTO accomplishes almost nothing
>> as far as detecting spoofs.
> 
> I find that an odd conclusion. Banning dot-like, slash-like
> and  hyphen-like punctuation seems to me like it would make a
> big difference  in terms of restricting what spoofing is
> possible.

And, indeed, in banning substantially all punctuation, we have
banned dot-like, slash-like, and hyphen-like punctuation.  What
we cannot reasonably ban are letters and digits that someone
might mistake for dots, slashes, or hyphens and that is one of
many reasons why, although we can provide better levers for
helping browser (and other application) producers protect
against confusion-based attacks on users, there are no possible
complete solutions in the IDNA protocol or associated character
rules or lists.

best,
      john

More information about the Idna-update mailing list