Issue metadata
Sign in to add a comment
|
Security: URL spoofing
Reported by
rayyan...@gmail.com,
May 10 2017
|
||||||||||||||||||||||||||
Issue descriptionhttp://xn--gmal-nza.com/ --> Look alike of gmail.com "http://gmaıl.com" --> Doesn't convert it into the punnycode.
,
May 11 2017
,
May 11 2017
The character in question is U+0131 LATIN SMALL LETTER DOTLESS I. Another near-homoglyph case; all the letters are technically Latin so allowed.
,
May 11 2017
1) http://xn--at-loa.com/ --> (U+210F) is this allowed? 2) http://νυ.com ( http://xn--yxaq.com/ ) --> When combined with normal letters; it does convert it into punnycode and when purely written in this form, it doesn't convert it. Ps. I'll be writing similar issues in this issue only unless the issue is confirmed. (instead of opening a new case again and again); though after confirmation of the bug; I'll open a new respective issue regarding it. (I hope you won't mind)
,
May 12 2017
> 1) http://xn--at-loa.com/ --> (U+210F) is this allowed? (Note: That's actually U+0127 LATIN SMALL LETTER H WITH STROKE, which is what the IDNA algorithm automatically converts U+210F PLANCK CONSTANT OVER TWO PI to.) Yes, this is allowed. This is basically the same case as Issue 703750 : a Latin character similar in appearance to an ASCII character (in this case having a bar over it). This one is fairly noticeable, moreso than those with dots added or removed. > 2) http://νυ.com ( http://xn--yxaq.com/ ) --> When combined with normal > letters; it does convert it into punnycode and when purely written in this > form, it doesn't convert it. This is U+0B3D GREEK SMALL LETTER NU + U+03C5 GREEK SMALL LETTER UPSILON. This is an example of a whole-script confusable as discussed in Issue 683314 . That one was Cyrillic, this one is Greek. I'm not sure if we have a bug specifically for Greek, but we are aware of the high-level issue here. We put in a fix for Cyrillic (to ban domains that are all-Latin-lookalikes on an ASCII TLD), but I don't think we've implemented a fix for other scripts yet. A similar policy applied to Greek would catch νυ.com. jshin@ is there a reason we didn't apply the same logic to Greek? > Ps. I'll be writing similar issues in this issue only unless the issue is > confirmed. (instead of opening a new case again and again); though after > confirmation of the bug; I'll open a new respective issue regarding it. We don't need you to report all of these combinations. We are aware that our IDN domain blacklisting isn't perfect and are having discussions along these two lines. There is no need to report: - Latin letters that look similar to ASCII letters ( Issue 703750 ). - Full words in another script (e.g., Cyrillic or Greek) that look like ASCII words ( Issue 683314 ). If you do want to discuss these, please use the above bugs, as this one is closed.
,
Aug 17 2017
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
|
|||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||
Comment 1 by aarya@google.com
, May 10 2017Labels: Security_Severity-Medium Security_Impact-Stable OS-All Pri-1
Owner: js...@chromium.org
Status: Assigned (was: Unconfirmed)