Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: IDN ccTLDs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
IDN ccTLDs

Two days ago, the ICANN authorized the introduction of country code top level domains (ccTLDs) using character sets other than the latin a-z alphabet. This is no earth shattering change - we had Internationalized Domain Names (IDNs) using greek, cyrillic, chinese, etc character sets for several years. The only change is that now also the top level domain (the rightmost portion of a domain name) can be written in characters other than A-Z.

From a security point of view, things might still get "interesting". Back when the IDNs were originally introduced, look-alike domain names and even SSL connections could be credibly faked. Some web servers, firewalls and IDS products also had huge gaping holes as a result of applying their security checks only in ASCII-Land, and ignoring Unicode completely. The past ten years of experience with IDNs have brought the problem reasonably under control, and expanding the IDNs to include top level domains shouldn't be a big deal. But since we all know how software gets "fixed", chances are still that history will repeat itself, and we will soon read of a web server that readily divulges application source code when hit with a TLD in cyrillic...

Daniel

367 Posts
ISC Handler
What's to stop us from following a link to yаhоо.соm when we meant to go to yahoo.com. If your browser doesn't do cyrillic, or if the upload mangles it, the "a", and "oo.co" in the first domain name are not ASCII, but cyrillic look-alikes. Okay, there isn't a .**m tld, but you see the problem -- there is a disconnection between how you interpret the on-screen glyph and how the computer interprets the character encoding, which makes it seem over-ripe for phishing.
Hal

50 Posts
Hopefully the browser developers will add options for filtering or tagging IDN URIs, especially if they are mixed ASCII and non-latin glyphs.
John Hardin

62 Posts
Time for companies to start looking at the permutations of their trademarks using these many new and similar characters...
hacks4pancakes

48 Posts

Sign Up for Free or Log In to start participating in the conversation!