Attack vectors through Unassigned Code Points in IDN

From: Chris Weber (chris@casabasecurity.com)
Date: Tue Mar 17 2009 - 23:05:55 CST

Next message: Erkki I. Kolehmainen: "Old Hungarian at SC2/WG2"

Previous message: Rick McGowan: "Re: Byzantine ekpohonetic neumes: any free font?"
Next in thread: Shawn Steele (???): "RE: Attack vectors through Unassigned Code Points in IDN"
Reply: Shawn Steele (???): "RE: Attack vectors through Unassigned Code Points in IDN"
Reply: John H. Jenkins: "Re: Attack vectors through Unassigned Code Points in IDN"
Maybe reply: Kenneth Whistler: "Re: Attack vectors through Unassigned Code Points in IDN"
Maybe reply: Chris Weber : "RE: Attack vectors through Unassigned Code Points in IDN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

In I’m reading RFC 3491 correctly, then IDNA allows for unassigned code points to exist in strings and domain names. This makes spoofing attacks possible when one these code points don’t have associated glyphs and basically show up as white space. This seems to be the case with some ranges like U+115A..U+115E under. In this case the following URL provides an attack vector in Firefox, because the domain nottrusted.org gets pushed way out of view in the Address Bar.

https://www.google.comᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚ.phreedom.org/

My question is – was this the intended behavior of IDNA to allow unassigned code points in IDN? Or is this more related to a font rendering issue?

7. Unassigned Code Points in Internationalized Domain Names

If the processing in [IDNA] specifies that a list of unassigned code

points be used, the system uses table A.1 from [STRINGPREP] as its

list of unassigned code points.

Thanks,

-Chris

Next message: Erkki I. Kolehmainen: "Old Hungarian at SC2/WG2"
Previous message: Rick McGowan: "Re: Byzantine ekpohonetic neumes: any free font?"
Next in thread: Shawn Steele (???): "RE: Attack vectors through Unassigned Code Points in IDN"
Reply: Shawn Steele (???): "RE: Attack vectors through Unassigned Code Points in IDN"
Reply: John H. Jenkins: "Re: Attack vectors through Unassigned Code Points in IDN"
Maybe reply: Kenneth Whistler: "Re: Attack vectors through Unassigned Code Points in IDN"
Maybe reply: Chris Weber : "RE: Attack vectors through Unassigned Code Points in IDN"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Tue Mar 17 2009 - 23:09:34 CST