301559 - .DE should be removed from IDN-enabled TLDs

Status: RESOLVED WONTFIX

(SeaMonkey :: Security, defect)

Description

[Roozbeh Pournader]

.DE should be removed from Mozilla's IDN-enabled TLDs list.

It is because .DE is allowing homographs. The problematic pair are the
characters U+0111 LATIN SMALL LETTER D WITH STROKE and U+00F0 LATIN
SMALL LETTER ETH. Their policy, which includes listing of those two
characters, can be found at <http://www.denic.de/en/richtlinien.html>.

These two letters appear identical in their uppercase form, which can be found
at U+00D0 LATIN CAPITAL LETTER ETH and U+0110 LATIN CAPITAL LETTER D WITH
STROKE. If you look at the Unicode charts for those uppercase
characters, they look identical.

Since IDN is case insentive, someone can be fooled into
considering the two domain names "www.IÐN.de" and "www.IĐN.de" the
same, while these two actually use the two different characters (the
samples here do the same).

I am not marking this confidental, since I have already told about .DEs problem
publicly in the ICANN meeting of December 2004 at Cape Town. (In
<http://www.icann.org/meetings/capetown/captioning-idn-workshop-01dec04.htm>,
search for "GERMAN POSSIBLE CONFLICT".)

Comment 1

[Gervase Markham [:gerv]]

I sent the following to info@denic.de:

Dear DENIC,

My name is Gervase Markham; I work for the Mozilla Foundation
(http://www.mozilla.org) - we make the Firefox web browser. I am particularly
responsible for the security of our Internationalised Domain Names (IDN) support.

Due to the possibility of "homographic" spoofing - spoofing using two characters
which are different code points but which appear identical - we have implemented
a whitelist of domains who have sufficiently strong anti-spoofing policies for
IDN. You can find the current whitelist here:
http://www.mozilla.org/projects/security/tld-idn-policy-list.html

We added ".de" to our whitelist of IDN domains on June 19th 2005, based on a
visual inspection of your character list at:
http://www.denic.de/en/richtlinien.html
At that time, our understanding was that all the characters on the list were
visually distinct.

However, we have recently received a security report from a Firefox user that
there is actually a possibility of homographic spoofing, due to the
case-insensitivity of the DNS and the fact that two of the given characters have
the same upper-case form. Please see his email, appended to this one, for full
details of the problem.

Please could you get in contact with me as soon as possible, detailing the steps
you plan to take to rectify the problem? We would accept any of the following:

1) Prevent registration of domains with LATIN SMALL LETTER D WITH STROKE
2) Prevent registration of domains with LATIN SMALL LETTER ETH
3) Treat the two characters as homographic, and implement bundling or
   blocking to prevent two domains which differ only in this character
   from being registered to different entities.

I have no knowledge of the importance of the two letters concerned to the German
or other alphabets, and so would not presume to advise you as to which course of
action is best or most politically acceptable. If 3) is not possible
immediately, you may wish to do either 1) or 2) on a temporary basis.

We understand that this problem was not simple to foresee, and we want to be
understanding as we work with you to find a solution. But I feel I should
mention that if a solution to the problem is not found by the time of the next
release of Firefox, then your TLD may have to be removed from the whitelist.
This would mean that IDN domains in .de would display in 'punycode' form rather
than with the correct non-ASCII characters.

I look forward to hearing from you :-) Please note that I am away for two weeks
from Saturday 23rd of July, so please copy your response to all the recipients
of this mail, which includes the Mozilla security group.

Gerv


-------- Original Message --------
Subject: Homographic characters allowed in .DE
Date: Thu, 21 Jul 2005 16:03:08 +0430
From: Roozbeh Pournader <roozbeh@gmail.com>
Reply-To: Roozbeh Pournader <roozbeh@gmail.com>
To: Gervase Markham <gerv@mozilla.org>, security@mozilla.org
CC: Siavash Shahshahani <shahshah@iranet.ir>

Hi!

I wish to ask for removal of .DE from Mozilla's IDN-enabled TLDs list.

It is because .DE is allowing homographs. The problematic pair are the
characters U+0111 LATIN SMALL LETTER D WITH STROKE and U+00F0 LATIN
SMALL LETTER ETH. Their policy, which includes listing of those two
characters, can be found at <http://www.denic.de/en/richtlinien.html>.

These two letters appear identical in their uppercase form, which can
be found at U+00D0
LATIN CAPITAL LETTER ETH and U+0110 LATIN CAPITAL LETTER D WITH
STROKE. If you look at the Unicode charts for those uppercase
characters, they look identical.

As you know, since IDN is case insentive, someone can be fooled into
considering the two domain names "www.IÐN.de" and "www.IĐN.de" the
same, while these two actually use the two different characters (the
samples here do the same).

So, I wish to ask for the removal of .DE from Mozilla's trusted list.

Roozbeh Pournader

Comment 2

[Gervase Markham [:gerv]]

Hello,

your email with the subject:
             Security issue: IDN spoofing problem in DENIC character list
is stored and will be processed within a short time.

Your email aquired the ticket-ID:
             DENIC#: 4118026
For further queries regarding your mail always mention the ticket-ID in the subject.

Comment 3

[Gervase Markham [:gerv]]

There is some question as to whether we should enforce the no-homograph policy
for upper-case characters. I have sent a message to DENIC asking them to
disregard my original message while the security group discusses the issue.

Gerv

Comment 4

[Gervase Markham [:gerv]]

After discussion, we've decided that as the browser lower-cases domain names
(apart from when you hit bug 264610, which Roozbeh hit), we should only enforce
the anti-homograph rules for lower-case.

Gerv