On 2/20/09 12:11 PM, Nelson B Bolyard wrote: > Benjamin Smedberg wrote, On 2009-02-19 07:39: > >> It sounds to me that we could and should fix this bug simply by disabling >> punycode for the wildcard portion. > > I'm not sure what you're proposing here, Ben, or what effect you think > it would have.
I'm proposing that when Firefox displays the domain name of a site, it should only use punycode display for the portion of the domain name which actually appears in the certificate. So for a wildcard cert *.ijjk.cn, the display would be xn--blahblahunreadablepunycode.ijjk.cn > Homomorphic characters aren't a problem for wildcard matching. They're a > problem for users' eyeballs. The attack that was demonstrated could have > been done without wildcards. Changing the wildcard matching rules would > not eliminate this attack (in the general case). I don't see how the attack could have been done without wildcards. CA guidelines say that certificates should not be issued with homographic characters that might cause confusion, and as far as we know these guidelines are being followed. The attack here takes place entirely within the wildcard portion of the domain because that's the portion the CA can't verify when they issue the certificate. --BDS -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
