I wrote: > IDNA's special treatment of "." is insufficient to prevent homograph > attacks against ".". > > For example, someone could register a name that looks like > "foo.bar.com", where the first dot was really U+0702. This attack > would be equally effective no matter what larger structure (URI, email > address, etc) the domain name appeared in.
On second thought, the "." homograph attack is less severe than the "/" homograph attack. The former only allows the attacker to spoof names in the same domain that the attacker is registered in; therefore new registrants can protect themselves from this attack by registering in a domain with reasonable admission policies. The "/" attack, however, allows the attacker to spoof names in *any* domain, so there's nowhere registrants can go and be safe from it. The more severe attack can happen only when domain names are embedded in larger structures, so a case could be made that each of these larger structures should create its own recommendations for dealing with spoofs of its delimiters. On the other hand, non-technical users might be misled by all sorts of punctuation, even symbols that don't resemble the true delimiters. AMC
