-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IDN characters #242
Comments
I think this is actually referring to Punycode |
@rquadling what does it look like without markdown? I also see |
IDN / Punycode ... is related ... one is the representation of the other. So, the IDN allows for Unicode characters. But these characters (and I think they are only English vowels ... maybe not though) look like other letters. So if someone has created a server for the fake URL that then does adds the naughty payload in whatever way it wants and sends you a mocked up back (man in the middle sort of thing). The URL will show be shown as Punycode. Well. It does in Chrome. Will it in all browsers? Or anything that displays the URL? It's not in links (but is in mouseovers) ... So that's why I feel IDNs should be considered for the list of naughty strings. |
Maybe pick one string for each class of problems mentioned in Lord.io's Identity Beyond Usernames?
That is:
|
I don't really know what to do here. But in terms of "naughty strings" ... I'm hoping the conversation is interesting enough to add something to the list of "naughty strings" in some way. |
Would these be a suitable thing to document here?
For example, where do you think this link will take you? http://accounts.googlе.com
Sure. It LOOKS like it'll take you somewhere obvious, but it's not that at all. Hopefully it doesn't ACTUALLy take you anywhere!
All I know ... I'm not clicking it!
The text was updated successfully, but these errors were encountered: