<!--QuoteBegin-Mantrid+Feb 7 2005, 06:32 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Mantrid @ Feb 7 2005, 06:32 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-Rellix+Feb 7 2005, 03:07 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Rellix @ Feb 7 2005, 03:07 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-CForrester+Feb 7 2005, 10:16 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (CForrester @ Feb 7 2005, 10:16 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> I'm not saying that IE is superior to Firefox, but hopefully this will make some Firefox users (*coughAGOODPORTIONOFTHISFORUMcough*) realize that Firefox is not infallible. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> I'm gonna go with this. Compare how long the two browsers have been out. People have been pouring over IE much longer than FireFox....of course if Windows gave two shits they'd be able to at least make an attempt to keep up with all the exploits and such, but that's a statement about the company more than the browser. Firefox has bugs, every program has bugs, it's inevitable. I'm fairly certain God himself didn't hand Firefox to some random dude and call it the Second Coming. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake.
<!--QuoteBegin-Sky+Feb 8 2005, 07:25 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Sky @ Feb 8 2005, 07:25 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-Mantrid+Feb 7 2005, 06:32 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Mantrid @ Feb 7 2005, 06:32 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-Rellix+Feb 7 2005, 03:07 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Rellix @ Feb 7 2005, 03:07 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin-CForrester+Feb 7 2005, 10:16 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (CForrester @ Feb 7 2005, 10:16 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> I'm not saying that IE is superior to Firefox, but hopefully this will make some Firefox users (*coughAGOODPORTIONOFTHISFORUMcough*) realize that Firefox is not infallible. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> I'm gonna go with this. Compare how long the two browsers have been out. People have been pouring over IE much longer than FireFox....of course if Windows gave two shits they'd be able to at least make an attempt to keep up with all the exploits and such, but that's a statement about the company more than the browser. Firefox has bugs, every program has bugs, it's inevitable. I'm fairly certain God himself didn't hand Firefox to some random dude and call it the Second Coming. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> And a whole keg of water.
After more analysis of the Unicode cross-reference tables, I can see that an attempt to enumerate 100% of all possible homograph sets is probably not feasible without massive effort (although making equivalence classes from the crossrefs has found a great many). However, it has given me a lot more insight into the problem.
Homographs are generally unpopular within a single writing system. On the other hand, many simple symbols have been either re-used or re-invented in many alphabets. So the secret of homograph spoofing is mixing languages and/or symbol sets.
This proposal suggests a method for detecting language mixing.
However, there is not a 1:1 correspondence between writing systems and code ranges. Some writing systems are split across a number of code ranges; others use characters from other writing systems -- for example, both Cyrillic and Japanese use the ASCII numerals. Nor is there a 1:1 mapping between writing systems and languages; for example, Japanese uses four distinct writing systems.
However, we _should_ be able to map from _sets_ of code point ranges, some per-character attributes, and one small set of special case characters, to the plausibility of a DNS label.
So how about the following algorithm for a single label in a domain name: 1. Run the string through NAMEPREP. 2. If there are leading combining characters, reject as malformed. 3. Assign each character to a character range, according to the official Unicode code point ranges; except that: characters 0123456789 and HYPHEN are special, and go in a special range of their own. 4. If there are any characters from "blacklisted" code point ranges, reject the string as suspicious. A blacklist is a powerful way of limiting spoofers' options. 5. If there are any other Unicode punctuation characters apart from HYPHEN, reject as suspicious. 6. If there are any Unicode whitespace characters, reject as suspicious. 7. Now look at the set of character ranges used; are they compatible with a single writing system/language set? This would consist either of one range and optional ASCII digits + HYPHEN, or any of a number of hard-coded sets dealing with cases such as Japanese and Chinese. If the set of ranges is not compatible with a single script, reject the string as suspicious. 8. If all the tests above pass, return OK.
This would certainly raise the bar for spoofers to jump over quite substantially, and would not be very code intensive; the script-lookup code is tiny, and the number of special cases rather small, even when considering obscure languages. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Internet Explorer probably doesn't support international domain names.
<!--QuoteBegin-Hellfire3k+Feb 8 2005, 07:54 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Hellfire3k @ Feb 8 2005, 07:54 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> Internet Explorer probably doesn't support international domain names. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> Actually it does, but only through plugins. And when using these pluggins, it is vulnerable.
<!--QuoteBegin-SkulkBait+Feb 8 2005, 07:45 PM--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (SkulkBait @ Feb 8 2005, 07:45 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd--> And a whole keg of water. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd--> You clever clever skulk you <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin-fix.gif' border='0' style='vertical-align:middle' alt='biggrin-fix.gif' /><!--endemo-->
Comments
Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
I'm gonna go with this. Compare how long the two browsers have been out. People have been pouring over IE much longer than FireFox....of course if Windows gave two shits they'd be able to at least make an attempt to keep up with all the exploits and such, but that's a statement about the company more than the browser. Firefox has bugs, every program has bugs, it's inevitable. I'm fairly certain God himself didn't hand Firefox to some random dude and call it the Second Coming. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake.
Still less holes than IE tho, giving us an edge most of the time.
Still eep. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
No, it has just as many holes as IE. Its just that people are more dedicated to finding the holes in IE, because thats what the majority of people use. <!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
I'm gonna go with this. Compare how long the two browsers have been out. People have been pouring over IE much longer than FireFox....of course if Windows gave two shits they'd be able to at least make an attempt to keep up with all the exploits and such, but that's a statement about the company more than the browser. Firefox has bugs, every program has bugs, it's inevitable. I'm fairly certain God himself didn't hand Firefox to some random dude and call it the Second Coming. <!--emo&:p--><img src='http://www.unknownworlds.com/forums/html/emoticons/tounge.gif' border='0' style='vertical-align:middle' alt='tounge.gif' /><!--endemo--> And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->And if he did, it would've come with free cake. Because you can't have a party with Jesus without cake.<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
And a whole keg of water.
<!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
From Firefox Bugzilla
After more analysis of the Unicode cross-reference tables, I can see that an
attempt to enumerate 100% of all possible homograph sets is probably not
feasible without massive effort (although making equivalence classes from the
crossrefs has found a great many). However, it has given me a lot more insight
into the problem.
Homographs are generally unpopular within a single writing system. On the other
hand, many simple symbols have been either re-used or re-invented in many
alphabets. So the secret of homograph spoofing is mixing languages and/or symbol
sets.
This proposal suggests a method for detecting language mixing.
However, there is not a 1:1 correspondence between writing systems and code
ranges. Some writing systems are split across a number of code ranges; others
use characters from other writing systems -- for example, both Cyrillic and
Japanese use the ASCII numerals. Nor is there a 1:1 mapping between writing
systems and languages; for example, Japanese uses four distinct writing systems.
However, we _should_ be able to map from _sets_ of code point ranges, some
per-character attributes, and one small set of special case characters, to the
plausibility of a DNS label.
So how about the following algorithm for a single label in a domain name:
1. Run the string through NAMEPREP.
2. If there are leading combining characters, reject as malformed.
3. Assign each character to a character range, according to the official Unicode
code point ranges; except that: characters 0123456789 and HYPHEN are special,
and go in a special range of their own.
4. If there are any characters from "blacklisted" code point ranges, reject the
string as suspicious. A blacklist is a powerful way of limiting spoofers' options.
5. If there are any other Unicode punctuation characters apart from HYPHEN,
reject as suspicious.
6. If there are any Unicode whitespace characters, reject as suspicious.
7. Now look at the set of character ranges used; are they compatible with a
single writing system/language set? This would consist either of one range and
optional ASCII digits + HYPHEN, or any of a number of hard-coded sets dealing
with cases such as Japanese and Chinese. If the set of ranges is not compatible
with a single script, reject the string as suspicious.
8. If all the tests above pass, return OK.
This would certainly raise the bar for spoofers to jump over quite
substantially, and would not be very code intensive; the script-lookup code is
tiny, and the number of special cases rather small, even when considering
obscure languages.
<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
Internet Explorer probably doesn't support international domain names.
Actually it does, but only through plugins. And when using these pluggins, it is vulnerable.
And a whole keg of water. <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
You clever clever skulk you <!--emo&:D--><img src='http://www.unknownworlds.com/forums/html/emoticons/biggrin-fix.gif' border='0' style='vertical-align:middle' alt='biggrin-fix.gif' /><!--endemo-->