Comments (4)
My understanding is that @ryancdotorg agrees with my assessment and proposed stopgap fix -- Ryan, is that accurate?
from ncdns.
Some additional notes.
Punycode-encoded DNS labels begin with xn--
. So blacklisting all .bit
domains whose 2nd-level label has that prefix should be sufficient to prevent IDN's from resolving.
Various client-side and registry-side defenses exist. Some clients, e.g. Opera, only display IDN's if they are on a whitelisted TLD that is known to deploy registry-side defenses. As of 2017 April, Firefox and Chromium used client-side defenses that were exploitable.
Another vulnerability was reported to Firefox in 2017 January 20, and was closed as WONTFIX
on 2017 January 25; Mozilla's position can be paraphrased as "this is the registry's problem, not the client's." I can confirm that Tor Browser 9.0.5 (latest release as of 2020 March 12) in "Safest" security mode is still vulnerable to the attack site.
ICANN maintains a set of IDN Implementation Guidelines, which are presumably what we would want to base our long-term mitigation on. Unfortunately, the draft 4.0 spec from 2018 May 10 states in Sec. 2.8:
It is important to understand that not all visual similarity issues can be addressed by IDN Tables and IDN policies. Other policies such as dispute resolution policies may be necessary to mitigate against abusive registrations exploiting visually similar characters. For example, even for ASCII letters,digits and hyphen (LDH)basedrepertoire, where the small letter "l" and digit "1" may be considered visually confusable characters,the mitigation policy for abuse is often addressed by dispute resolution policies, leveraging other bodies of knowledge (e.g. Trademark Law) to evaluate whether similarities between domain names causes confusion and abuse.
Given that Namecoin, by design, does not have any mechanism for trademark disputes, it appears that securely handling IDN's (in any mechanism other than not displaying them as Unicode) in the context of Namecoin-like systems is an unsolved research problem, and I would not want to place heavy bets on it being solved anytime soon.
from ncdns.
I think blocking them for now is prudent.
The best mitigation I've seen is preventing characters from different languages being mixed, but this is complicated.
from ncdns.
I think blocking them for now is prudent.
Okay, thanks.
The best mitigation I've seen is preventing characters from different languages being mixed, but this is complicated.
@ryancdotorg That approach is still vulnerable to the attack that Firefox closed as WONTFIX
. Any other reasons that you refer to it as complicated?
from ncdns.
Related Issues (20)
- Backend LRU cache behavior when MaxEntries == 0 is misleading HOT 2
- Clearing the stream-isolated LRU caches not possible
- ncdt doesn't support stream isolation
- ncdumpzone doesn't support stream isolation
- Web server doesn't support stream isolation
- Revert #106 after hex encoding is implemented
- Problems with getting A Resource Record back of active domains HOT 1
- R&D: Better support for Windows cert registry blobs HOT 24
- Building on linux/amd64 HOT 5
- DNSSEC validation is failing HOT 10
- Enable ASLR/PIE on Windows again after we solve Windows service breakage
- ncdns 0.1.2: build: ncdomain/convert_tls.go:125:28: undefined: "github.com/namecoin/x509-compressed/x509".ParsePKIXPublicKey HOT 1
- Package for Debian HOT 1
- Listen on more socket types
- Package ncdns in distros' package repos HOT 2
- Test meta-domain resolution on Cirrus
- Test Namecoin (Regtest) resolution on Cirrus HOT 1
- BTCD does not contain BTCEC package HOT 2
- Commented-out code in convert_test.go HOT 1
- Add DNSSEC-enabled functional tests for DNSSEC-Trigger
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ncdns.