From: Simon Montagu (firstname.lastname@example.org)
Date: Wed Mar 18 2009 - 13:57:02 CST
This is indeed a Firefox bug, and will be fixed. The plan is to display
IRIs containing unassigned code points in punycode, as Firefox does for
other cases prohibited by IDNA.
On 03/18/2009 07:00 PM, Shawn Steele (???) wrote:
> (speaking as myself)
> Sounds like a Firefox bug. Unassigned code points should cause an error
> since they aren’t assigned. If they were dropped, then at the least,
> the shortened name should show up in the address bar.
> For most users this probably doesn’t matter much since you can easily
> contrive URLs that look real at a quick glance or to someone not
> familiar with URLs, eg: https://www.google.com.secure.net would fool
> many users.
> *From:* email@example.com [mailto:firstname.lastname@example.org]
> *On Behalf Of *Chris Weber
> *Sent:* Pōʻ, Malaki 17, 2009 10:06 PM
> *To:* email@example.com
> *Subject:* Attack vectors through Unassigned Code Points in IDN
> In I’m reading RFC 3491 correctly, then IDNA allows for unassigned code
> points to exist in strings and domain names. This makes spoofing attacks
> possible when one these code points don’t have associated glyphs and
> basically show up as white space. This seems to be the case with some
> ranges like U+115A..U+115E under. In this case the following URL
> provides an attack vector in Firefox, because the domain nottrusted.org
> gets pushed way out of view in the Address Bar.
> https://www.google.comᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚ.phreedom.org/ <https://www.google.comᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚᅚ.phreedom.org
> My question is – was this the intended behavior of IDNA to allow
> unassigned code points in IDN? Or is this more related to a font
> rendering issue?
> 7. Unassigned Code Points in Internationalized Domain Names
> If the processing in [IDNA] specifies that a list of unassigned code
> points be used, the system uses table A.1 from [STRINGPREP] as its
> list of unassigned code points.
This archive was generated by hypermail 2.1.5 : Wed Mar 18 2009 - 13:59:24 CST