Closed
Bug 300132
Opened 19 years ago
Closed 19 years ago
Add .lt, .info, .th, .ac, .io, .sh, .tm, .gr, .br to IDN whitelist
Categories
(Core :: Networking, enhancement)
Core
Networking
Tracking
()
RESOLVED
FIXED
mozilla1.8beta3
People
(Reporter: gerv, Assigned: gerv)
References
()
Details
Attachments
(1 file)
1.72 KB,
patch
|
jshin1987
:
review+
benjamin
:
approval1.8b4+
|
Details | Diff | Splinter Review |
I have approved the following TLDs to be added to the IDN whitelist. As more apply, I will add comments as I approve them. After a certain amount of time, we will make and check in a patch. Gerv
Assignee | ||
Comment 1•19 years ago
|
||
Approved: .lt, .info, .th, .ac, .io, .sh, .tm. Gerv
Target Milestone: --- → mozilla1.8beta3
I'm concerned about .ac: Google cache: http://66.102.9.104/search?q=cache:VqhSxRNehy8J:www.nic.ac/+nic.ac&hl=en&client=firefox-a Way back machine: http://web.archive.org/web/20041130033107/http://www.nic.ac/ The page has not been updated since 2004-november, and suddenly they have a policy. In fact their FAQ page (to which they have unlinked from the home page) is still there: http://www.nic.ac/idnfaq.html#4 Same goes for .sh, .tm, and .io: http://www.nic.sh/idnfaq.html#3 http://www.nic.tm/idnfaq.html#4 http://www.nic.io/idnfaq.html#4 (copy and pasted from .TM verbatim)
Comment 3•19 years ago
|
||
(I checked the .tm registry, although they're all copies of eachother). I don't think we should allow these registrars, becuase they accept ALL characters ! This is the reason that we have the IDN whitelist. >What characters are authorised in .TM IDNs? >.TM Registry wants to give you maximum flexibility when it comes to protecting >your assets on the Internet. Because .TM names can be registered and used >worldwide, we did not want to put artificial limitations in the langage or >script that can be used. Therefore there is no limit in the special characters >you can use, providing your name can be translated in ACE form, and registered >that way. And further : >It is your responsability to ensure that the ACE form produced by our Encoder >is consistent with what you want to register. This means they don't even check, and they don't want to take reponsability. I tried with the infamous paypal-example from bug 279099, and their IDN encoder accepted it (pаypal.tm --> xn--pypal-4ve.tm) ! Whois says that it's still available :-) Ok, I know that Turmenistan also uses the cyrillic script, and they might accept the а. But the point is that it shouldn't be mixed with other scripts.
Assignee | ||
Comment 4•19 years ago
|
||
Approved: .gr, based on email assurances received. Gerv
Assignee | ||
Comment 5•19 years ago
|
||
William: if they have updated their policies to meet our requirements, that can only be a good thing :-) OK, the IDN FAQs don't match the newly-linked policy. We should get them to clear that confusion up. I assume their translator widget doesn't impose the same restrictions as their backend systems. Jo: they don't accept all characters any more; see the policy PDFs linked from the URL in the URL field. Gerv
Assignee | ||
Comment 6•19 years ago
|
||
Approved: .br. Gerv
Assignee | ||
Comment 8•19 years ago
|
||
If they don't, I'm sure you'll be the first to follow the instructions at the URL and email the Mozilla security group :-) Gerv
Assignee | ||
Comment 10•19 years ago
|
||
William: the issues raised in your comment #2 have been addressed. Gerv
Comment 11•19 years ago
|
||
gerv: will mofo be doing spot checks on these registrars? Would probably be a good idea to be pro-active in checking that the people on our whitelist are actually as safe as they claim.
Assignee | ||
Comment 12•19 years ago
|
||
Ian: good question. I wasn't planning to, for the following reasons: - It's hard to check - the only real check is noticing a domain which has been issued in violation of policy - I'm sure that the registries know that if they start issuing homographic domains, they'll get: * a load of negative publicity * angry phone calls from their ASCII customers that they might get spoofed * a security update from us disabling their TLD * angry phone calls from their IDN customers, as their domains now look like gibberish in Firefox * great difficulty in getting it re-enabled. I suspect no registry sees that as a good business move. Gerv
Comment 13•19 years ago
|
||
The kind of check I was thinking about was just going out and attempting to register homographic domains. It seems like that would be a good idea to me. I have no fear that the registrars would intentionally allow such registrations. My fear is that they would unintentionally, through incompetence, allow them. That is, after all, basically how the original "paypal.com" IDN domain got registered -- the policies in that particular case would theoretically have stopped it.
Comment 14•19 years ago
|
||
For the record, Eric's "paypal.com" was registered not through Verisign's or anybody's incompetence, but sheer negligence.
Assignee | ||
Comment 15•19 years ago
|
||
I think the profile of the issue has been raised so dramatically since then that registries will be very careful in how they write and test their domain-checking code. Any independent security researcher is welcome to do such testing and, if problems are found, report them to the Mozilla security group. Gerv
Comment 16•19 years ago
|
||
Why would Mozilla not want to proactively check such policies?
Comment 17•19 years ago
|
||
I agree with Gerv that the job of keeping tabs on various registries' policies fall outside the scope of MoFo's main functions. That said, it is worrisome that there could be discrepancies between what's advertised as policies and what's really enforced. For example, Verisign com/net IDN policies goes something like: 1. Registrars are to submit the IDN to be registered along with the proposed language that the name is intended to be. 2. The domain name is then checked against the list of allowable characters for that language. The entire domain must fall inside the list of languages or the registration would be rejected. 3. The currently deployed language tables are: Chinese, Japanese, Koren, Polish, Greek, ... What's in between the lines is that if you submit a language tag for which they have no language table, the entire Unicode 3.2 (minus the ones prohibited by IDNA) becomes the table. See http://www.verisign.com/products-services/naming-and-directory-services/naming-services/internationalized-domain-names/idn-standards/idn-character-variants/page_002089.html This is a prime example of discrepancy between policy and implementation. And the only way to find out is to actually try to register a name with the respective registries. A number of registries, such as .museum, are safe because the registration process is manual, and requires the registrant to prove their eligibility. If MoFo has the budget to periodically check on these registries, I'd be glad to police the registries :)
Assignee | ||
Comment 18•19 years ago
|
||
OK, it's rollup time. This bug's bags are packed with the following TLDs: .lt, .info, .th, .ac, .io, .sh, .tm, .gr, .br. and it's heading out the door and down to the station for the 1.8b4 train. Any further requests will go into a different bug, and probably be in the next release rather than this one. There's a potential clash with bug 299927; we'll try and get that in first. Gerv
Assignee | ||
Comment 19•19 years ago
|
||
Here's the (trivial) patch. Requesting approval for 1.8b4, and rubber-stamp review from jshin. Gerv
Assignee | ||
Updated•19 years ago
|
Attachment #189765 -
Flags: review?(jshin1987)
Attachment #189765 -
Flags: approval1.8b4?
Comment 20•19 years ago
|
||
Comment on attachment 189765 [details] [diff] [review] Patch v.1 rs=jshin
Attachment #189765 -
Flags: review?(jshin1987) → review+
Assignee | ||
Comment 21•19 years ago
|
||
OK, this patch is actually post-checkin of bug 299927, so there will be no conflict. Gerv
Updated•19 years ago
|
Attachment #189765 -
Flags: approval1.8b4? → approval1.8b4+
Assignee | ||
Comment 22•19 years ago
|
||
Fixed. Checking in modules/libpref/src/init/all.js; /cvsroot/mozilla/modules/libpref/src/init/all.js,v <-- all.js new revision: 3.584; previous revision: 3.583 done Any more people, please email me in the usual way, as described on: http://www.mozilla.org/projects/security/tld-idn-policy-list.html Gerv
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Summary: Further additions to IDN whitelist → Add .lt, .info, .th, .ac, .io, .sh, .tm, .gr, .br to IDN whitelist
You need to log in
before you can comment on or make changes to this bug.
Description
•