[Pkg-kde-bugs-fwd] [Bug 98788] Possible solution to IDN domain spoofing/phising
Thiago Macieira
98788@bugs.kde.org
19 Feb 2005 16:34:00 -0000
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
http://bugs.kde.org/show_bug.cgi?id=98788
------- Additional Comments From thiago kde org 2005-02-19 17:33 -------
Mozilla people have taken this approach:
https://bugzilla.mozilla.org/show_bug.cgi?id=282270 - short-term solution, for the next releases, until the bug is properly fixed. This would equate to my idea of disabling ToUnicode or IDNA completely.
https://bugzilla.mozilla.org/show_bug.cgi?id=279099 - long-term solution: find a way to detect phishing and scams.
The 279099 bug has this on comment 135: "Most domain registrars have been correctly implementing the guidelines foravoiding IDN-related spoofing problems. [...] Unfortunately, there are a few rather large exceptions to this - .com being one. So, the suggestion is to have a blacklist of those TLDs, and display the IDN in raw punycode form throughout the UI until such time as the registrars get their act together."
(punycode = the encoding used by ToASCII in order to produce the ACE form)
So, in essence, we would:
1) keep IDNA enabled
2) disable ToUnicode for domains with length(TLD) > 2, plus exceptions like .cc or .nu
They are also working on other approaches.