Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: option to disallow IDN ?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Dan Fandrich via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 16 Dec 2022 11:19:50 -0800
On Fri, Dec 16, 2022 at 01:18:12PM -0500, Timothe Litt via curl-library wrote:
> And/or the callback registration could specify "all domain names", "Just IDN" -
The browsers (at least Firefox) do something subtle but pretty useful for
avoiding spoofing. Based on the name registration policies of the TLD being
used, they either show the IDN as expected in the URL bar, or just show the
ugly punycode version of the name. TLDs with policies that forbid names that
could lead to confusion (homographic attacks) get the desired behaviour (of
seeing the IDN name) but those without policies, or with policies that could
lead to confusion get the punycode version, making it obvious that some
spoofing may have gone on to get you to that web page. Mozilla's original
policy can be seen here:
https://www-archive.mozilla.org/projects/security/tld-idn-policy-list
They've amended that policy since to allow displaying IDN in some cases even on
those TLDs with bad or nonexistent policies. This only happens if all the
characters in the TLD come from the same script. If a TLD mixes, for example,
Cyrillic and Latin characters, it's displayed as punycode, but all Cyrillic is
shown in all its UNICODE glory. The idea is that people (who can read that
script) will recognize the different characters within that script and be able
to tell them apart, and there won't be any mixing of similar-looking characters
within a single domain name. That policy can be seen at
https://wiki.mozilla.org/IDN_Display_Algorithm
Lots of thought has been given to this problem already (Mozilla seems to have
implemented the first policy 17 years ago), and curl could take advantage of
that. But, since it's not a browser it can't use the same means of notifying
the user (displaying punycode in the URL bar), but some viable alternatives
to that have already been brought up here.
Dan
Date: Fri, 16 Dec 2022 11:19:50 -0800
On Fri, Dec 16, 2022 at 01:18:12PM -0500, Timothe Litt via curl-library wrote:
> And/or the callback registration could specify "all domain names", "Just IDN" -
The browsers (at least Firefox) do something subtle but pretty useful for
avoiding spoofing. Based on the name registration policies of the TLD being
used, they either show the IDN as expected in the URL bar, or just show the
ugly punycode version of the name. TLDs with policies that forbid names that
could lead to confusion (homographic attacks) get the desired behaviour (of
seeing the IDN name) but those without policies, or with policies that could
lead to confusion get the punycode version, making it obvious that some
spoofing may have gone on to get you to that web page. Mozilla's original
policy can be seen here:
https://www-archive.mozilla.org/projects/security/tld-idn-policy-list
They've amended that policy since to allow displaying IDN in some cases even on
those TLDs with bad or nonexistent policies. This only happens if all the
characters in the TLD come from the same script. If a TLD mixes, for example,
Cyrillic and Latin characters, it's displayed as punycode, but all Cyrillic is
shown in all its UNICODE glory. The idea is that people (who can read that
script) will recognize the different characters within that script and be able
to tell them apart, and there won't be any mixing of similar-looking characters
within a single domain name. That policy can be seen at
https://wiki.mozilla.org/IDN_Display_Algorithm
Lots of thought has been given to this problem already (Mozilla seems to have
implemented the first policy 17 years ago), and curl could take advantage of
that. But, since it's not a browser it can't use the same means of notifying
the user (displaying punycode in the URL bar), but some viable alternatives
to that have already been brought up here.
Dan
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2022-12-16