Opened 10 years ago

Closed 9 years ago

#18 closed defect (fixed)

rewrite Security Considerations section (move spoofing out)

Reported by: lmm@… Owned by:
Priority: major Milestone:
Component: 3987bis Version:
Severity: - Keywords:
Cc:

Description

2248,2256c2308,2311
< <t>Incorrect encoding or decoding can lead to security problems.
< In particular, some UTF-8 decoders do not check against overlong
< byte sequences. As an example, a "/" is encoded with the byte 0x2F
< both in UTF-8 and in US-ASCII, but some UTF-8 decoders also wrongly
< interpret the sequence 0xC0 0xAF as a "/". A sequence such as "%C0%AF.."
< may pass some security tests and then be interpreted
< as "/.." in a path if UTF-8 decoders are fault-tolerant, if conversion
< and checking are not done in the right order, and/or if reserved
< characters and unreserved characters are not clearly distinguished.</t>
---

<t>Incorrect encoding or decoding can lead to security problems. For
example, some UTF-8 decoders do not check against overlong byte
sequences. See <xref target="UTR36"/> section 3 for details.</t>

2261,2299c2316,2324
< The added resource may pretend to be the real resource by looking
< very similar but may contain all kinds of changes that may be
< difficult to spot and that can cause all kinds of problems.
< Most spoofing possibilities for IRIs are extensions of those for URIs.</t>
<
< <t>Spoofing can occur for various reasons. First, a user's normalization expectations or actual normalization
< when entering an IRI or transcoding an IRI from a legacy character
< encoding do not match the normalization used on the
< server side. Conceptually, this is no different from the problems
< surrounding the use of case-insensitive web servers. For example,
< a popular web page with a mixed-case name ("http://big.example.com/PopularPage.html")
< might be "spoofed" by someone who is able to create "http://big.example.com/popularpage.html".
< However, the use of unnormalized character sequences, and of additional
< mappings for user convenience, may increase the chance for spoofing.
< Protocols and servers that allow the creation of resources with
< names that are not normalized are particularly vulnerable to such
< attacks. This is an inherent
< security problem of the relevant protocol, server, or resource
< and is not specific to IRIs, but it is mentioned here for completeness.</t>
<
< <t>Spoofing can occur in various IRI components, such as the
< domain name part or a path part. For considerations specific
< to the domain name part, see <xref target="RFC3491"/>.
< For the path part, administrators of sites that allow independent
< users to create resources in the same sub area may have to be careful
< to check for spoofing.</t>
<
< <t>Spoofing can occur because in the UCS many characters look very similar. Details are discussed in <xref target="selection"/>.
< Again, this is very similar to spoofing possibilities on US-ASCII,
< e.g., using "br0ken" or "1ame" URIs.</t>
<
< <t>Spoofing can occur when URIs with percent-encodings based on various
< character encodings are accepted to deal with older user agents. In some
< cases, particularly for Latin-based resource names, this is usually easy to
< detect because UTF-8-encoded names, when interpreted and viewed as
< legacy character encodings, produce mostly garbage.</t><t>When
< concurrently used character encodings have a similar structure but there
< are no characters that have exactly the same encoding, detection is more
< difficult.</t>
---

</t>
<t>In general, there are serious difficulties with systems that relying on a human to verify that a presentation of an IRI to them (e.g., visually or read out loud) is the same as another identifier or is the one intended.

While these problems exist with ASCII-only URIs (e.g., confusing bl00mberg.com vs. bloomberg.com), the difficulties are enormously exacerbated when using the larger character repertoire of Unicode; see <xref target="UTR36"/> section 2 for a number of examples.</t>

<t>Spoofing can also occur when URIs with percent-encodings based on various
character encodings are accepted to deal with older user agents.</t>

<t>[[NOTE: UTR36 doesn't mention this; what are these?]] The use of Legacy Extended IRIs introduces additional security issues.</t>

2301c2326,2328
< <t>Spoofing can occur with bidirectional IRIs, if the restrictions
---

<t>There seems to be little hope of relying on either administrative or technical means to reduce the availability of spoofing exploits. For this reason, user agents SHOULD NOT relying on humans doing visual or perceptual comparison or verification of IRIs as any means of validating or assuring safety, correctness or appropriateness of an IRI. Other means of presenting users with the validity, safety, or appropriateness of visited sites are being developed in the browser community as an alternative means of avoiding these difficulties.</t>

<t>[[NOTE: UTR36 doesn't talk much about BIDI spoofing.]] Spoofing can occur with bidirectional IRIs, if the restrictions

2304,2305c2331
< and vice versa. It is also very important that a correct Unicode bidirectional
< implementation be used.</t><t>The use of Legacy Extended IRIs introduces additional security issues.</t>
---

and vice versa. </t>

Change History (1)

comment:1 Changed 9 years ago by duerst@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.