Issue metadata
Sign in to add a comment
|
Security: Mixed-script confusable domain label spoofing (Ethiopic + Latin)
Reported by
jackwill...@gmail.com,
May 29 2017
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 58.0.3029.110 Operating System: Windows 7 REPRODUCTION CASE E.g. - http://ሃoutube.com - https://my.ከrw.com
,
May 31 2017
This is U+1203 ETHIOPIC SYLLABLE HAA + "outube", and U+12A8 ETHIOPIC SYLLABLE KA + "rw". This isn't a whole-script confusable; it's mixed-script because Ethiopic letters are being combined with Latin in the same label. It isn't being displayed in Punycode. jshin why is this allowed at all?
,
May 31 2017
Seems similar to Issue 719199 but for Ethiopic.
,
May 31 2017
You cannot register this name in any Verisign controlled TLDs. Verisign does not allow mixing Ethipic (or any non-Latin script) and Latin. [1] And, I doubt that there is any ccTLD allowing mixture of Latin and Ethiopic. Moreover, it seems to be a bit of stretch to call ሃoutube.com confusable with youtube.com See bug 726950 [1] https://www.verisign.com/assets/idn/idn-ethiopic.html https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-policy/registration-rules/index.xhtml if an IDN contains code points from two or more Unicode scripts, then that IDN registration is rejected. For example, a character from the Latin script cannot be used in the same IDN with any Cyrillic character. All code points within an IDN must come from the same Unicode script. This is done to prevent confusable code points from appearing in the same IDN.
,
May 31 2017
,
Jun 1 2017
We shouldn't rely on domain-name policy (defense in depth, plus we know domain name registrars often do not uphold their own policies). If we consider mixing Latin and non-Latin characters to be a spoofing risk, we should demote it to Punycode. If this in fact is the registrar policy, then it shouldn't affect any legitimate sites but would be a worthwhile security precaution. I agree that "ሃoutube" isn't particularly confusable with "youtube". Nevertheless, I thought we had a blanket rule that any domain label with characters from two or more scripts would be Punycoded...?
,
Jun 1 2017
> I thought we had a blanket rule that any domain label with characters from two or more scripts would be Punycoded...? See bug 726950
,
Jun 6 2017
Tentatively assigning medium severity. If anyone disagrees, feel free to change it.
,
Jun 6 2017
,
Jun 6 2017
,
Jun 10 2017
Downgrading to Low (comment 4).
,
Jun 10 2017
,
Jul 26 2017
,
Sep 6 2017
,
Oct 5 2017
,
Oct 13 2017
based on comment 4 (and I checked all the domains in .net/org/com, no domain mixes Latin + Ethiopic) : open up this bug.
,
Nov 8
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, May 30 2017Components: UI>Security>UrlFormatting UI>Internationalization