Issue metadata
Sign in to add a comment
|
Security: URL spoofing with Armenian characters
Reported by
chromium...@gmail.com,
Aug 16 2017
|
||||||||||||||||||||||||
Issue descriptionVERSION Chrome Version: 62.0.3187.0 (Official Build) canary (64-bit) Operating System: Mac REPRODUCTION CASE Some examples: http://xn--youtobe-bmi.com/ http://xn--aypal-keg.com/
,
Aug 17 2017
,
Aug 17 2017
,
Aug 18 2017
,
Aug 21 2017
Two example domains cannot be registered. See https://www.verisign.com/en_US/channel-resources/domain-registry-products/idn/idn-policy/registration-rules/index.xhtml
,
Aug 22 2017
,
Aug 29 2017
,
Oct 4 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/fd34ee82420c5e5cb04459d6e381944979d8e571 commit fd34ee82420c5e5cb04459d6e381944979d8e571 Author: Jungshik Shin <jshin@chromium.org> Date: Wed Oct 04 23:25:49 2017 Change the script mixing policy to highly restrictive The current script mixing policy (moderately restricitive) allows mixing of Latin-ASCII and one non-Latin script (unless the non-Latin script is Cyrillic or Greek). This CL tightens up the policy to block mixing of Latin-ASCII and a non-Latin script unless the non-Latin script is Chinese (Hanzi, Bopomofo), Japanese (Kanji, Hiragana, Katakana) or Korean (Hangul, Hanja). Major gTLDs (.net/.org/.com) do not allow the registration of a domain that has both Latin and a non-Latin script. The only exception is names with Latin + Chinese/Japanese/Korean scripts. The same is true of ccTLDs with IDNs. Given the above registration rules of major gTLDs and ccTLDs, allowing mixing of Latin and non-Latin other than CJK has no practical effect. In the meantime, domain names in TLDs with a laxer policy on script mixing would be subject to a potential spoofing attempt with the current moderately restrictive script mixing policy. To protect users from those risks, there are a few ad-hoc rules in place. By switching to highly restrictive those ad-hoc rules can be removed simplifying the IDN display policy implementation a bit. This is also coordinated with Mozilla. See https://bugzilla.mozilla.org/show_bug.cgi?id=1399939 . BUG= 726950 , 756226 , 756456 , 756735 , 770465 TEST=components_unittests --gtest_filter=*IDN* Change-Id: Ib96d0d588f7fcda38ffa0ce59e98a5bd5b439116 Reviewed-on: https://chromium-review.googlesource.com/688825 Reviewed-by: Brett Wilson <brettw@chromium.org> Reviewed-by: Lucas Garron <lgarron@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#506561} [modify] https://crrev.com/fd34ee82420c5e5cb04459d6e381944979d8e571/components/url_formatter/idn_spoof_checker.cc [modify] https://crrev.com/fd34ee82420c5e5cb04459d6e381944979d8e571/components/url_formatter/url_formatter_unittest.cc
,
Oct 4 2017
,
Oct 5 2017
,
Oct 10 2017
Historically, we've ranked IDN spoofs at Severity Medium, although this one was partially mitigated by the fact that ".com" limits mixing with Armenian. The VRP should still take a look.
,
Oct 13 2017
Reported domains cannot be registered in com/net/org and ccTLDs accepting Armenian domains.
,
Oct 20 2017
I'm afraid the panel declined to award for this bug.
,
Dec 4 2017
,
Dec 4 2017
,
Jan 11 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Apr 25 2018
,
Oct 5
,
Oct 19
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by chromium...@gmail.com
, Aug 16 201738.6 KB
38.6 KB View Download