« Opera releases update for 'extremely severe' vulns | Main | SUN Fixes GIFARs »

Unicode attacks and test cases: IDN and IRI display, normalization and anti-spoofing

"Internationalized Resource Identifiers (IRI’s) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset of ASCII characters - mainly lower and upper case letters, numbers, and some punctuation. IRI’s were forecasted many years ago by Martin Dürst and Michel Suignard, and formalized in RFC 3987. IRI’s bring Unicode to the domain name world, allowing for people to register domain names in their native language, rather than being forced to use English.

It was apparent long ago that spoofing attacks would be a huge deal, and we’d need a system to deal with the problem. Anti-spoofing protections are sort of built in to the specifications, with Nameprep, Stringprep and Punycode primarily.  Nameprep is actually considered to be a profile of Stringprep.  In other words, Stringprep defines all the nitty gritty details available, and Nameprep creates a profile of a subset of those details which should be used when handling IDN’s.  Whew, let’s pause for a deep breath."

Read more: http://www.lookout.net/2008/12/16/unicode-attacks-and-test-cases-idn-and-iri-display-normalization-and-anti-spoofing/


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!