Presentation is loading. Please wait.

Presentation is loading. Please wait.

Director of Data Communications

Published byDeirdre Jones Modified over 6 years ago

Similar presentations

Presentation on theme: "Director of Data Communications"— Presentation transcript:

1 Director of Data Communications
IDN Security Issues and solutions Dr. Ibaa Oueichek Director of Data Communications STE IDN Security 17/5/2006

2 Visual Security Issues
visually confusable strings: two different strings of Unicode characters whose appearance in common fonts in small sizes at screen resolutions is sufficiently close that people easily mistake one for the other. Example : paypal.com and paypa1.com (and this is just pure ASCII). Homographs: Special kind of visually confusables. Two different strings that can always be represented by the same sequence of glyphs. For example, "AB" in Latin and "AB" in Greek are homographs. IDN Security 17/5/2006

3 IDN What does IDN have to do with this ?
IDN is such a *GREAT* idea, because it allows users to write the domain name in their native language instead of English. IDN is also a *GREAT* idea for spoofs and deceptions, it gives them the whole set of Unicode characters to play with. IDN Security 17/5/2006

4 How serious it is ? Early Alert : In December 2002 RFC 3454 explicitly warns about the problems of "similar-looking characters" and suggests that "user applications can help disambiguate some similar-looking characters by showing the user when a string changes between scripts". In February 2005 xn--pypal-4ve.com is registered by The Shmoo Group. IDN Security 17/5/2006

5 Example You get an about your paypal.com account, click on the link… You carefully examine your browser's address box to make sure that it is actually going to But actually it is going to a spoof site: “paypal.com” with the Cyrillic letter “p”. You think that they are the same But DNS thinks they are different IDN Security 17/5/2006

6 More examples Cross-Script In-Script Rendering Support
p in Latin vs p in Cyrillic In-Script Sequences rn may appear at display sizes like m Rendering Support ä with two umlauts may look the same as ä with one el is actually e + l IDN Security 17/5/2006

7 Definitions Single script confusable : Spoofing characters are within one script, or using characters common across scripts (such as numbers). Examples : a-b and a-b (U+210 hyphen). dze and dze (U+02A3 digraph). 101 is NOT one zero one, but binary 5 !! IDN Security 17/5/2006

8 Definitions Mixed Script confusable : Spoofing characters are within more than one script and not a single script confusable. Example : paypal (ASCII) and paypal (U+430 cyrillic) top (ASCII) and top (U+03BF Greek) IDN Security 17/5/2006

9 Definitions Whole script confusable: Mixed script confusables where each of the strings in entirely one script, and both look identical. Example : caxap in Latin, and caxap in Cyrillic scope in Latin, and scope in Cyrillic IDN Security 17/5/2006

10 More bad ideas Syntax Spoofing examples directing us to bad.com
(beware of U+2044 Fraction Slash) (beware of missing fonts as question marks) IDN Security 17/5/2006

11 Quick conclusion It is a disaster We opened a can of worms with IDN
Let us drop support of IDN (Mozilla ?) Or maybe not, maybe we should ask “the bodies” for a solution. Good question, WHO are the bodies ? IDN Security 17/5/2006

12 Interested parties ICANN : Update to the IDN guidelines (v2)
ITU-T Study group 17 IETF, individual drafts. IAB, a special committee Unicode consortium : TR #36 : Unicode Security considerations. IDN Security 17/5/2006

13 UTR #36: Security Recommendations
General Security Issues (not just IDN) V1 approved mid-2005; V2 in progress Describes the problems, recommends best practices Users Programmers User-Agents (browsers, , office apps) Registries Registrars IDN Security 17/5/2006

14 Restriction Levels as defined in TR36
L1 : ASCII only L2 : Highly Restrictive, all chars. From a single script with few DEFINED exceptions L3 : Moderately restrictive, all Latin and other scripts EXCEPT : Cyrillic, Greek, Cherokee. L4 : Minimally restrictive, allow free mixing of scripts. IDN Security 17/5/2006

15 ICANN guidelines v2 Three new guidelines :
Number 3 : registration with a single script, very complex. Number 4 : Permissible code points (legal characters). Number 5 : Limitations for hyphens, because they are used as escape characters for Punycode. IDN Security 17/5/2006

16 Comments on ICANN guidelines
Well thought in general, but almost impossible to enforce. Already several registrars register “broken” IDN names. Most of the effort should concentrate on enforcement rules and monitoring. Somehow difficult with about 400 MILLION DNS records in the world. IDN Security 17/5/2006

17 Conclustion IDN has added a serious threat for Internet users
Several solutions have been suggested, including proposals from ICANN, IETF and Unicode forum. Our opinion is that this threat should NOT be used as an excuse to hinder IDN development, and ESPECIALLY IDN.IDN. IDN Security 17/5/2006

18 Thank you Questions ? IDN Security 17/5/2006

Download ppt "Director of Data Communications"

Similar presentations

Unicode Security Mark Davis. The Unicode Consortium Software globalization standards: define properties and behavior for every character in every script.

Unicode Security Mark Davis. The Unicode Consortium Software globalization standards: define properties and behavior for every character in every script.
Unicode/IDN Security Mark Davis President, Unicode Consortium Chief SW Globalization Arch., IBM.

Unicode/IDN Security Mark Davis President, Unicode Consortium Chief SW Globalization Arch., IBM.
Mark Davis President, Unicode Consortium

Mark Davis President, Unicode Consortium
IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.

IDN TLD Variants Implementation Guideline draft-yao-dnsop-idntld-implementation-01.txt Yao Jiankang.
Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.

Internationalizing WHOIS Preliminary Approaches for Discussion Internationalized Registration Data Working Group ICANN Meeting, Brussels, Belgium Jeremy.
ICANN Rio Meeting IDN Authorization for TLDs with ICANN agreements 26 March, 2003 Andrew McLaughlin.

ICANN Rio Meeting IDN Authorization for TLDs with ICANN agreements 26 March, 2003 Andrew McLaughlin.
Internationalized Domain Names Introduction & Update MENOG 1 Bahrain April 3-5, 2007 By: Baher Esmat Middle East Liaison.

Internationalized Domain Names Introduction & Update MENOG 1 Bahrain April 3-5, 2007 By: Baher Esmat Middle East Liaison.
MINISTRY OF INFORMATION AND COMMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER (VNNIC) Hanoi, Aug 2011 VNNIC’s UPDATES ON IDN.VN.

MINISTRY OF INFORMATION AND COMMUNICATIONS VIETNAM INTERNET NETWORK INFORMATION CENTER (VNNIC) Hanoi, Aug 2011 VNNIC’s UPDATES ON IDN.VN.
Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.

Text #ICANN50. Text #ICANN50 IDN Variant TLD Program GNSO Update Saturday 21 June 2014.
Internationalized Domain Names Status Report Prepared for: ICANN Meeting, Lisbon 29 March, 2007 Tina Dam IDN Program Director ICANN

Internationalized Domain Names Status Report Prepared for: ICANN Meeting, Lisbon 29 March, 2007 Tina Dam IDN Program Director ICANN
New.net and Multilingual Names Andrew Duff Director of Mktg and Policy, New.net December 2001.

New.net and Multilingual Names Andrew Duff Director of Mktg and Policy, New.net December 2001.
CIS 234: Character Codes Dr. Ralph D. Westfall April, 2011.

CIS 234: Character Codes Dr. Ralph D. Westfall April, 2011.
Introduction to Chinese Domain Name ZHANG Hong Aug 24, 2003.

Introduction to Chinese Domain Name ZHANG Hong Aug 24, 2003.
Implementation Recommendation Team (IRT) Proposal Comments Sue Todd, Director, Product Management Monday 11 May 2009, San Francisco.

Implementation Recommendation Team (IRT) Proposal Comments Sue Todd, Director, Product Management Monday 11 May 2009, San Francisco.
1 © 2000, Cisco Systems, Inc. DNSSEC IDN Patrik Fältström

1 © 2000, Cisco Systems, Inc. DNSSEC IDN Patrik Fältström
Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board Joint ITU/WIPO Symposium on Multilingual.

Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board Joint ITU/WIPO Symposium on Multilingual.
Internationalized Domain Names Technical Review and Policy Implications John C Klensin APTLD Manila 23 February 2009.

Internationalized Domain Names Technical Review and Policy Implications John C Klensin APTLD Manila 23 February 2009.
Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board CDNC-CNSG-MINC IDN Joint Meeting.

Internationalized Domain Names: Overview of ICANN Activities Masanobu Katoh, Chair, IDN Committee Director, ICANN Board CDNC-CNSG-MINC IDN Joint Meeting.
Launching IDN & IDN TLDs: A gTLD Registry Perspective APNIC, Beijing 2009.08.24.

Launching IDN & IDN TLDs: A gTLD Registry Perspective APNIC, Beijing
Universal Acceptance of IDN ICANN London | 2014.06.23

Universal Acceptance of IDN ICANN London |

Similar presentations

Ads by Google