JFYI: IDN homograph attack in roundcube
https://github.com/roundcube/roundcubemail/issues/6891 -- SY, Dmitry Belyavsky
On Tuesday 20 August 2019 07:32:27 CEST, Dmitry Belyavsky wrote:
I commented on the issue page that this doesn't appear to make any difference: Impersonators manage just fine without using homographs today, and they'd manage just fine with, too. Six of one, half a dozen of the other. Also that the issue arises in the first place because Roundcube is prettifying stray xn--blah usage, which the standards neither require nor suggest. The standards have good reasons for that. Arnt
Dear Arnt, On Tue, Aug 20, 2019 at 12:39 PM Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> wrote:
On Tuesday 20 August 2019 07:32:27 CEST, Dmitry Belyavsky wrote:
I commented on the issue page that this doesn't appear to make any difference: Impersonators manage just fine without using homographs today, and they'd manage just fine with, too. Six of one, half a dozen of the other.
Also that the issue arises in the first place because Roundcube is prettifying stray xn--blah usage, which the standards neither require nor suggest. The standards have good reasons for that.
Well, there is a contradiction between the standards and UX. User should be able to see the domain name and hardly can distinguish 'xn--foo' and 'xn--bar' values. So I strongly prefer to show both variants for IDN names. -- SY, Dmitry Belyavsky
On Tuesday 20 August 2019 11:43:04 CEST, Dmitry Belyavsky wrote:
Well, there is a contradiction between the standards and UX. User should be able to see the domain name and hardly can distinguish 'xn--foo' and 'xn--bar' values. So I strongly prefer to show both variants for IDN names.
The standards don't require using xn--foo in any user-visible location (or indeed anywhere in the mail message, user-visible or not), so where would the contradiction be? Arnt
On Tue, Aug 20, 2019 at 12:46 PM Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> wrote:
On Tuesday 20 August 2019 11:43:04 CEST, Dmitry Belyavsky wrote:
Well, there is a contradiction between the standards and UX. User should be able to see the domain name and hardly can distinguish 'xn--foo' and 'xn--bar' values. So I strongly prefer to show both variants for IDN names.
The standards don't require using xn--foo in any user-visible location (or indeed anywhere in the mail message, user-visible or not), so where would the contradiction be?
Sorry, I may be wrong and do not exactly understand what standard you refer to. Common sense suggests that 1. We have to provide a human-readable representation to the user and 2. make him know that the name is IDN in fact. -- SY, Dmitry Belyavsky
On Tuesday 20 August 2019 11:50:49 CEST, Dmitry Belyavsky wrote:
Sorry, I may be wrong and do not exactly understand what standard you refer to.
The email RFCs. We are talking about email here, no? Most notably RFC 6532.
Common sense suggests that 1. We have to provide a human-readable representation to the user and 2. make him know that the name is IDN in fact.
1, We do, and it doesn't require any occurence of xn-- anywhere in an email message. 2, Why, exactly? Looking for homographs doesn't help with impostors like samsung-support.com (relies on non-homographic similarity), swapping е and ё in the cases where humans are inconsistent, registering м іст.ru to attack міст.ua, etc. There are decent ways to protect against the general threat, why bother with the special case? Arnt
On Tue, Aug 20, 2019 at 3:22 PM Arnt Gulbrandsen <arnt@gulbrandsen.priv.no> wrote:
Common sense suggests that 1. We have to provide a human-readable representation to the user and 2. make him know that the name is IDN in fact.
1, We do, and it doesn't require any occurence of xn-- anywhere in an email message.
2, Why, exactly? Looking for homographs doesn't help with impostors like samsung-support.com (relies on non-homographic similarity), swapping е and ё in the cases where humans are inconsistent, registering м іст.ru <http://xn--q1ac2d.ru> to attack міст.ua <http://xn--l1akd2f.ua>, etc. There are decent ways to protect against the general threat, why bother with the special case?
Finally got it. Many thanks! -- SY, Dmitry Belyavsky
In article <CADqLbzLO1nMks5Bz=twr1F=LjPLvuvZdhLRFjsg8aGfRojjzbA@mail.gmail.com> you write:
Well, there is a contradiction between the standards and UX.
If that is so, the UX is wrong.
User should be able to see the domain name and hardly can distinguish 'xn--foo' and 'xn--bar' values. So I strongly prefer to show both variants for IDN names.
In a proper EAI message, the IDNs in the addresses are U-labels. The only time you should see an A-label is in an ASCII message with an address like abcd@xn--efgh If mail programs are sending EAI mail with A-labels, that's something to fix at the sending end, not try to patch up at the received end. My guess is that the people maintaining Roundcube don't understand the difference between EAI mail and ASCII mail with A-label IDNs and it's a bug. R's, John
See https://twitter.com/datamail_in/status/1170509585385480192 Though I do think it better to present the Japanese email as ニチン@データメール.コム rather than ニチン/データメール。コム From the graphic I think it is fullwidth slash (as opposed to standard ASCII slash) and the ideographic full stop that is being displayed. I do vaguely recollect that there are/were some issues with some Japanese Input Methods whereby @ would by default be mapped to / or some such unexpected mapping. André Schappo
participants (4)
-
Andre Schappo -
Arnt Gulbrandsen -
Dmitry Belyavsky -
John Levine