funsec mailing list archives
Re: ICANN Approves Non-Latin Domain Name Characters
From: Dan Kaminsky <dan () doxpara com>
Date: Sat, 31 Oct 2009 13:32:40 -0400
I wouldn't say there's much of a difference in social engineering opportunities -- what we have now with semantic collisions is pretty effective already. Punycode support is only in the browsers, and only in certain conditions. Shmoo scared people good with their homograph attacks a few years back. There are bugs in DNS decoders that hit from time to time, usually in record types, sometimes with DNS compression. Punycode is complex and will get buggy implementations. On Oct 31, 2009, at 12:15 PM, "Larry Seltzer" <larry () larryseltzer com> wrote:
Just kidding about the "looking for quotes" line. I won't implicate anyone here unless you tell me you want to be quoted, and then I'll just garble the quote to humiliate you. Really, I'll treat this thread as an educational experience, make up my own mind and talk about that. So far my guess is that, based on pretty much all prior experience on the Internet, there have to be exploitable software bugs and social engineering opportunities in this, probably significant ones. How much support is there right now in available software for punycode? Here's a stupid question: Is it possible that there are buffer overflows out there just from all the extra bytes in domain names? Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Larry Seltzer Sent: Saturday, October 31, 2009 9:40 AM To: funsec () linuxbox org Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters Oh I know all this, just looking for quotes. Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: Paul Ferguson [mailto:fergdawgster () gmail com] Sent: Saturday, October 31, 2009 9:35 AM To: Larry Seltzer Cc: funsec () linuxbox org Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, Oct 31, 2009 at 6:14 AM, Larry Seltzer <larry () larryseltzer com> wrote:http://www.pcmag.com/article2/0,2817,2355068,00.asp?kc=PCRSS05079TX1K000 0992 So have the security implications of these new domain names reallybeenthought through?No. If nothing else, expanding the TLD space expands the abuse footprint. Further, expanding the TLD footprint in areas which are not clearly 'recognizable' by some applications, etc., will certainly have a tendency to be targets for abuse by criminals. Of course, this may sound obvious -- and it is. But expanding the TLD space into the IDN direction is not all sunshine and rainbows -- it also opens up a whole new gateway for enormous abuse and exploitation. It should be obvious to anyone with a clue. :-) - - ferg p.s. I'm in Taipei at the moment, which should underscore the issues that I am talking about, et al. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFK7Dzhq1pz9mNUZTMRAgxlAJ9FzZzBmRmoPfN4EHhSRo2g19/WvQCgzCJO 5V6IySqInkTmQlkoxSqb1tk= =COHl -----END PGP SIGNATURE----- -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- ICANN Approves Non-Latin Domain Name Characters Larry Seltzer (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Dan Kaminsky (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Paul Ferguson (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Larry Seltzer (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Larry Seltzer (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Dan Kaminsky (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters chris (Nov 01)
- Re: ICANN Approves Non-Latin Domain Name Characters Larry Seltzer (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Dan Kaminsky (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Buhrmaster, Gary (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Rich Kulawiec (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Dan Kaminsky (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Rich Kulawiec (Oct 31)
- Re: ICANN Approves Non-Latin Domain Name Characters Florian Weimer (Nov 02)
- Re: ICANN Approves Non-Latin Domain Name Characters Valdis . Kletnieks (Nov 02)
- Re: ICANN Approves Non-Latin Domain Name Characters Dan Kaminsky (Nov 02)
- Re: ICANN Approves Non-Latin Domain Name Characters Valdis . Kletnieks (Nov 02)