Disable non-ASCII domain names until we've evaluated homograph mitigations about ncdns HOT 4 OPEN

My understanding is that @ryancdotorg agrees with my assessment and proposed stopgap fix -- Ryan, is that accurate?

from ncdns.

Some additional notes.

Punycode-encoded DNS labels begin with xn--. So blacklisting all .bit domains whose 2nd-level label has that prefix should be sufficient to prevent IDN's from resolving.

Various client-side and registry-side defenses exist. Some clients, e.g. Opera, only display IDN's if they are on a whitelisted TLD that is known to deploy registry-side defenses. As of 2017 April, Firefox and Chromium used client-side defenses that were exploitable.

Another vulnerability was reported to Firefox in 2017 January 20, and was closed as WONTFIX on 2017 January 25; Mozilla's position can be paraphrased as "this is the registry's problem, not the client's." I can confirm that Tor Browser 9.0.5 (latest release as of 2020 March 12) in "Safest" security mode is still vulnerable to the attack site.

ICANN maintains a set of IDN Implementation Guidelines, which are presumably what we would want to base our long-term mitigation on. Unfortunately, the draft 4.0 spec from 2018 May 10 states in Sec. 2.8:

It is important to understand that not all visual similarity issues can be addressed by IDN Tables and IDN policies. Other policies such as dispute resolution policies may be necessary to mitigate against abusive registrations exploiting visually similar characters. For example, even for ASCII letters,digits and hyphen (LDH)basedrepertoire, where the small letter "l" and digit "1" may be considered visually confusable characters,the mitigation policy for abuse is often addressed by dispute resolution policies, leveraging other bodies of knowledge (e.g. Trademark Law) to evaluate whether similarities between domain names causes confusion and abuse.

Given that Namecoin, by design, does not have any mechanism for trademark disputes, it appears that securely handling IDN's (in any mechanism other than not displaying them as Unicode) in the context of Namecoin-like systems is an unsolved research problem, and I would not want to place heavy bets on it being solved anytime soon.

from ncdns.

I think blocking them for now is prudent.

The best mitigation I've seen is preventing characters from different languages being mixed, but this is complicated.

from ncdns.

I think blocking them for now is prudent.

Okay, thanks.

The best mitigation I've seen is preventing characters from different languages being mixed, but this is complicated.

@ryancdotorg That approach is still vulnerable to the attack that Firefox closed as WONTFIX. Any other reasons that you refer to it as complicated?

from ncdns.