Re: Attack vectors through Unassigned Code Points in IDN

From: Simon Montagu (
Date: Wed Mar 18 2009 - 14:18:09 CST

  • Next message: Mark Davis: "Re: Attack vectors through Unassigned Code Points in IDN"

    On 03/18/2009 08:42 PM, John H. Jenkins wrote:
    > On Mar 17, 2009, at 11:05 PM, Chris Weber wrote:
    >> In Iím reading RFC 3491 correctly, then IDNA allows for unassigned
    >> code points to exist in strings and domain names. This makes spoofing
    >> attacks possible when one these code points donít have associated
    >> glyphs and basically show up as white space.
    > If a system has no font that will cover a certain character, it should
    > not be showing white space. Typically you'll see boxes of some sort,
    > which is the better thing to do, as it lets the user know that there's
    > something there.

    Normally Firefox displays the hexadecimal code point in a box for
    characters with no font coverage, but apparently there are fonts on
    Vista (batang.ttc and gulim.ttc) that have blank glyphs defined for

    This archive was generated by hypermail 2.1.5 : Wed Mar 18 2009 - 14:20:27 CST