Two days ago, the ICANN authorized the introduction of country code top level domains (ccTLDs) using character sets other than the latin a-z alphabet. This is no earth shattering change - we had Internationalized Domain Names (IDNs) using greek, cyrillic, chinese, etc character sets for several years. The only change is that now also the top level domain (the rightmost portion of a domain name) can be written in characters other than A-Z. From a security point of view, things might still get "interesting". Back when the IDNs were originally introduced, look-alike domain names and even SSL connections could be credibly faked. Some web servers, firewalls and IDS products also had huge gaping holes as a result of applying their security checks only in ASCII-Land, and ignoring Unicode completely. The past ten years of experience with IDNs have brought the problem reasonably under control, and expanding the IDNs to include top level domains shouldn't be a big deal. But since we all know how software gets "fixed", chances are still that history will repeat itself, and we will soon read of a web server that readily divulges application source code when hit with a TLD in cyrillic... |
Daniel 385 Posts ISC Handler Nov 2nd 2009 |
Thread locked Subscribe |
Nov 2nd 2009 1 decade ago |
What's to stop us from following a link to yаhоо.соm when we meant to go to yahoo.com. If your browser doesn't do cyrillic, or if the upload mangles it, the "a", and "oo.co" in the first domain name are not ASCII, but cyrillic look-alikes. Okay, there isn't a .**m tld, but you see the problem -- there is a disconnection between how you interpret the on-screen glyph and how the computer interprets the character encoding, which makes it seem over-ripe for phishing.
|
Hal 50 Posts |
Quote |
Nov 2nd 2009 1 decade ago |
Hopefully the browser developers will add options for filtering or tagging IDN URIs, especially if they are mixed ASCII and non-latin glyphs.
|
John Hardin 62 Posts |
Quote |
Nov 3rd 2009 1 decade ago |
Time for companies to start looking at the permutations of their trademarks using these many new and similar characters...
|
hacks4pancakes 48 Posts |
Quote |
Nov 5th 2009 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!