In comp.lang.java.programmer Paul Rubin <http://[EMAIL PROTECTED]> wrote or quoted: > Tim Tyler <[EMAIL PROTECTED]> writes:
> > Are there any examples of HTML email causing security problems - outside > > of Microsoft's software? > > There was a pretty good one that went something like > > Click this link to download latest security patch! > <a href=http://www.mxxxxxx.com.....>Microsoft Security Center</a> > > where "mxxxxxx" is "microsoft" with the letter "i" replaced by some > exotic Unicode character that looks exactly like an ascii "i" in normal > screen fonts. The attacker had of course registered that domain and > put evil stuff there. I didn't think unicode domain names existed. It seems that they are in the pipeline: ``After much debate and many competing proposals, a system called Internationalizing Domain Names in Applications (IDNA) was adopted as the chosen standard, and is currently, as of 2005, in the process of being rolled out.'' - http://en.wikipedia.org/wiki/Internationalized_domain_names It looks like the security issues are probably going to be dealt with via technical fixes: ``On February 17, 2005, Mozilla developers announced that they would ship their next versions of their software with IDN support still enabled, but showing the punycode URLs instead, thus thwarting any attacks while still allowing people to access websites on an IDN domain. This is a change from the earlier plans to disable IDN entirely for the time being.'' - http://en.wikipedia.org/wiki/Internationalized_domain_names Anyway, I'm inclined to suggest this is a DNS problem. It would apply to any format that allowed rendering of domain names using the unicode character set they are intended to be displayed using. Even without unicode, the "homograph attack" is still viable, due to things like the "l"/"I" issue in many fonts - as pointed out on: http://www.centr.org/docs/2005/02/homographs.html -- __________ |im |yler http://timtyler.org/ [EMAIL PROTECTED] Remove lock to reply. -- http://mail.python.org/mailman/listinfo/python-list
