Hi Bill, The homograph attack has nothing to do with the validity of an IDN though and everything with how Unicode characters of different code points can look similar and even identical (thus allowing the creation of very convincing spoofed domain names). Appearance, fortunately, has absolutely nothing to do with the validity of that domain name...either it follows the applicable TLD rules or it doesn't.
That the existence of a homograph could even remotely be responsible for invalidating a domain which follows the IANA rules or the local registry's defined allowable Unicode points is a nutsy idea (no offence ;)) - how could you possibly build that into validation logic anyway? If it can be used for phishing then surely it's by definition a valid IDN? It works when you plug it into a browser, yes? If folk want to get rid of the spoof, they should implement a policy of displaying the punycode equivalents (which are all ASCII) inside their applications. This is a security concern separate from validation. Handling punycode display is already standard across the major browsers for example. If you really want to boost awareness then include a punycode converter which Zend_Uri can utilise to transform an IDN into a displayable punycode. Then add IDN detection (as you said check for Unicode content maybe). The rest is for the programmer to implement since it's their responsibility to produce secure applications. My 2c... Regards, Pádraic P.S. Apologies to Thomas for wrongly posting to i18n! Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com ----- Original Message ---- From: Bill Karwin <[EMAIL PROTECTED]> To: Zend Framework i18n <[EMAIL PROTECTED]>; Zend Framework General <[email protected]> Sent: Saturday, June 23, 2007 9:08:17 PM Subject: [fw-i18n] RE: [fw-general] IDN Validation DIV { MARGIN:0px;} The subject of supporting IDN's is tricky. We have talked about supporting them, but there are some issues because they map into ASCII domains in a way that increases risks of performing domain name spoofing. This is known as the Homograph Attack. See http://en.wikipedia.org/wiki/Internationalized_domain_name#Spoofing_concerns I'm not sure yet what we want our policy to be regarding support for IDN's in Zend Framework. We could implement a class to convert Unicode strings to Punycode in ASCII to support the way IDNA says to map IDN's. Then validate the ASCII domain normally. Zend_Validate_Hostname could even do this transparently if it detects any Unicode characters in its string argument. Since PHP 5 has weak support for Unicode, this might not be something that can be done transparently until PHP 6. In the meantime, until ZF includes a Punycode converter, an application developer must do it themselves and then validate the ASCII domain name. Regards, Bill Karwin From: Pádraic Brady [mailto:[EMAIL PROTECTED] Sent: Saturday, June 23, 2007 11:33 AM To: Zend Framework i18n; Zend Framework General Subject: [fw-general] IDN Validation Hi all, I was just wondering what plans are for IDN support. We currently have about 10? or less tlds covered in Zend_Validate - there's somewhere around 40+ currently supporting IDNs in total. This probably isn't a priority at the moment - mainly curious since I had some test runs of an application meet some failures from the validator. On a sidetrack, how do IDNs effect the framework's email validator? Bear in mind most of the tlds like .com, .org etc also allow for IDNs. e.g. http://www.المعرفة.com (arabic). Kind regards, Pádraic Pádraic Brady http://blog.astrumfutura.com http://www.patternsforphp.com Need Mail bonding? Go to the Yahoo! Mail Q&A for great tips from Yahoo! Answers users. ____________________________________________________________________________________Ready for the edge of your seat? Check out tonight's top picks on Yahoo! TV. http://tv.yahoo.com/
