by Michael S. Kaplan, published on 2005/08/20 21:16 -07:00, original URI: http://blogs.msdn.com/michkap/archive/2005/08/20/454144.aspx
Back in January, just before the flap at the hacker's convention with the paypal.com like that used a cyrillic 'a' to prove that IDN without a way to ferret out phishing attacks, I posted my own post entitled International Domain Names? The sign on the door says 'Gone Phishing'....
It was an interesting flap because the RFCs for Internationalized Domain Names clearly points out the dangers and talks about the need to do some extra work to avoid security issues, but several browsers jumped ahead to support them and then just as quickly rushed out to turn them off by default.
Folks at Microsoft, who knew about the need to do work here first, did not jump ahead without looking. And Microsoft was complimented for not jumping in too quickly. :-)
Unicode has move in to assist with Unicode Technical Report #36: Unicode Security Considerations.
And now Microsoft has some functions to help ISVs jump in (functions that can and will also be used in future versions of Microsoft products!).
Here it is: Microsoft Internationalized Domain Names (IDN) Mitigation APIs 1.0.
From the overview:
The "Internationalized Domain Names Mitigation APIs" download includes several API functions to convert an IDN to different representations, as well as several API functions specifically intended to allow applications to mitigate some of the security risks presented by this technology. The functions IdnToAscii, IdnToUnicode, and IdnToNameprepUnicode each convert an IDN string to a particular form. The functions DownlevelGetLocaleScripts, DownlevelGetStringScripts, and DownlevelVerifyScripts allow applications to verify that the characters in a given IDN are drawn entirely from the scripts associated with a particular locale or locales. However, these functions are only helpers; applications have still to perform comprehensive threat modeling and create appropriate mitigation for these threats.
Also included are the Unicode normalization APIs IsNormalizedString and NormalizeString, which are used by the mitigation APIs.
This package is supported on XP (Service Pack 2 or later) and Server 2003 (Service Pack 1 or later). And differently named functions will also be in Vista!
For info on the Normalization API functions, look here.
For info on the IDN API functions, look here.
The cool functions in the package to help with the mitigation (they make use of ISO 15942 for their script definitions):
You can use these functions as part of your strategy for dealing properly with internationalized domain names -- warning users of potentially dangerous links to information.
This post brought to you by "а" (U+0430, a.k.a. CYRILLIC SMALL LETTER A)
# Maurits on Sunday, August 21, 2005 1:22 PM:
# Michael S. Kaplan on Sunday, August 21, 2005 1:29 PM:
# Maurits on Monday, August 22, 2005 12:18 PM:
# Michael S. Kaplan on Monday, August 22, 2005 1:22 PM:
# Maurits on Monday, August 22, 2005 1:34 PM:
# Michael S. Kaplan on Monday, August 22, 2005 1:45 PM:
# Maurits on Monday, August 22, 2005 1:51 PM:
# Michael S. Kaplan on Monday, August 22, 2005 10:03 PM:
# Maurits on Friday, September 30, 2005 2:47 PM:
# Michael S. Kaplan on Friday, September 30, 2005 2:53 PM:
2008/04/30 Why WC2MB needs a CP, chaver sheli!
2006/07/28 The download you requested is unavailable.
2006/06/17 64-bit thoughts, and an apology
2006/01/14 Getting out of the compatibility zone, redux
2005/12/20 IDN hits the uber-client
2005/12/03 When even the bugs seem cool
2005/09/29 It's already in there, or it's on the way
2005/09/09 Safe 'DrawText' function
go to newer or older post, or back to index or month or day