I was asked yesterday about the current status of the work on IDN homograph spoofing. Here’s what’s being done.
- The Unicode Consortium are writing a Technical Report (TR) called “Security Considerations in the Implementation of Unicode and Related Technology”, which includes a section on the homograph problem. This report is currently under active development. It includes the start of a very useful list of ASCII confusables, which should be useful to the registries in point 3).
- A working group of the IAB, which is part of the IETF, is looking at revisions to stringprep and nameprep, two of the standards underlying IDN. These standards define what characters are permitted, string canonicalisation and so on. We hope to be able to reduce the number of permitted characters without affecting legitimate usage, thereby reducing the scope for spoofing.
- Registries which are issuing IDN domains are being asked to put in place appropriate policies to prevent two homographic domains being registered to different entities. Such a policy would probably involve a permitted character table (a subset of the characters defined by 1) and a method of dealing with homographic domains using characters within that table, such as aggregation or blocking.
- Browser manufacturers are putting in place temporary measures (mozilla.org, Opera, Apple) to protect users while a long-term strategy is devised. The core of that strategy is likely to be based around a black or whitelist of TLDs, allowing IDN to be rolled out for each registry once they have appropriate policies in place (see point 3). We hope to achieve consensus on which registries have such policies, and eventually to have a neutral body keep the list.
As you can see, this is a hard problem to solve, and work at every level is necessary. However, I hope that once all of it is completed, we will be able to achieve the goal of making legal IDN domains first-class citizens on the Internet, deployable and usable with only the same risks as ASCII domains.