I wouldn't say there's much of a difference in social engineering opportunities -- what we have now with semantic collisions is pretty effective already.
Punycode support is only in the browsers, and only in certain conditions. Shmoo scared people good with their homograph attacks a few years back. There are bugs in DNS decoders that hit from time to time, usually in record types, sometimes with DNS compression. Punycode is complex and will get buggy implementations. On Oct 31, 2009, at 12:15 PM, "Larry Seltzer" <[email protected]> wrote: > Just kidding about the "looking for quotes" line. I won't implicate > anyone here unless you tell me you want to be quoted, and then I'll > just > garble the quote to humiliate you. > > Really, I'll treat this thread as an educational experience, make up > my > own mind and talk about that. So far my guess is that, based on pretty > much all prior experience on the Internet, there have to be > exploitable > software bugs and social engineering opportunities in this, probably > significant ones. How much support is there right now in available > software for punycode? > > Here's a stupid question: Is it possible that there are buffer > overflows > out there just from all the extra bytes in domain names? > > Larry Seltzer > Contributing Editor, PC Magazine > [email protected] > http://blogs.pcmag.com/securitywatch/ > > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Larry Seltzer > Sent: Saturday, October 31, 2009 9:40 AM > To: [email protected] > Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters > > Oh I know all this, just looking for quotes. > > Larry Seltzer > Contributing Editor, PC Magazine > [email protected] > http://blogs.pcmag.com/securitywatch/ > > > -----Original Message----- > From: Paul Ferguson [mailto:[email protected]] > Sent: Saturday, October 31, 2009 9:35 AM > To: Larry Seltzer > Cc: [email protected] > Subject: Re: [funsec] ICANN Approves Non-Latin Domain Name Characters > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Sat, Oct 31, 2009 at 6:14 AM, Larry Seltzer > <[email protected]> > wrote: > >> > http://www.pcmag.com/article2/0,2817,2355068,00.asp?kc=PCRSS05079TX1K000 > 0 >> 992 >> >> >> >> So have the security implications of these new domain names really > been >> thought through? >> > > No. > > If nothing else, expanding the TLD space expands the abuse footprint. > > Further, expanding the TLD footprint in areas which are not clearly > 'recognizable' by some applications, etc., will certainly have a > tendency > to be targets for abuse by criminals. > > Of course, this may sound obvious -- and it is. > > But expanding the TLD space into the IDN direction is not all sunshine > and > rainbows -- it also opens up a whole new gateway for enormous abuse > and > exploitation. > > It should be obvious to anyone with a clue. :-) > > - - ferg > > p.s. I'm in Taipei at the moment, which should underscore the issues > that I > am talking about, et al. > > -----BEGIN PGP SIGNATURE----- > Version: PGP Desktop 9.5.3 (Build 5003) > > wj8DBQFK7Dzhq1pz9mNUZTMRAgxlAJ9FzZzBmRmoPfN4EHhSRo2g19/WvQCgzCJO > 5V6IySqInkTmQlkoxSqb1tk= > =COHl > -----END PGP SIGNATURE----- > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawgster(at)gmail.com > ferg's tech blog: http://fergdawg.blogspot.com/ > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
