Closed Bug 770877 Opened 12 years ago Closed 12 years ago

Add .com, .net, .name to IDN TLD whitelist

Categories

(Core :: Networking: Domain Lists, defect)

Product:
Core
Component:
Networking: Domain Lists
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla19

People

(Reporter: gerv, Assigned: gerv)

References

Details

Attachments

(1 file)

Patch v.1
(deleted), patch
Details | Diff | Splinter Review 
Verisign have emailed me to ask that .com, .net and .name be added to the whitelist.

Link to the Registry Home page:
http://verisigninc.com/en_US/products-and-services/domain-name-services/registry-services/index.xhtml

Link to the Policy Page:
http://verisigninc.com/en_US/products-and-services/domain-name-services/domain-information-center/idn-code-points/index.xhtml

Allowed Code Points as posted on IANA's IDN Repository:
http://www.iana.org/domains/idn-tables/

Homograph Policy:
http://verisigninc.com/en_US/products-and-services/domain-name-services/domain-information-center/idn-code-points/registration-rules/index.xhtml

The new criteria for addition is that their policy be at least as strict as that outlined here:
https://wiki.mozilla.org/IDN_Display_Algorithm

Verisign's policy corresponds to the first 4 things we permit:
    1. Common + Inherited + any other single script;           (or)
    2. Common + Inherited + Latin + Han + Hiragana + Katakana; (or)
    3. Common + Inherited + Latin + Han + Bopomofo;            (or)
    4. Common + Inherited + Latin + Han + Hangul;              

They do not permit:
    5. Common + Inherited + Latin + any single other script except Cyrillic, Greek, or Cherokee

Therefore, their policy is more strict than ours and they can be included in the TLD whitelist under the transitional arrangements.

Gerv
Blocks: 783401
I'd argue against this for ".com" and ".net" as a security issue. If someone is trying a homograph attack, it will probably be against a name in ".com".  If there are any existing incorrect names in the ".com" TLD, making them inaccessible, or at least bringing up an alert box, would be appropriate.

This would encourage the registries to clean up their act. 

If Network Solutions wants this, let them provide a list of "grandfathered" bad domain names in .com and .net for public examination.
Attached patch Patch v.1 (deleted) — Splinter Review 
Assignee: nobody → gerv
Status: NEW → ASSIGNED

    
    

    
  
Having evaluated the situation and the public discussion, I've decided to proceed with this change.
https://hg.mozilla.org/integration/mozilla-inbound/rev/c95b9413e66e

Gerv

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/c95b9413e66e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19

    
    

    
  
This change has been landed to Firefox 17 (both release and ESR channel) by Bug 802568, so now this document have to be updated:
http://www.mozilla.org/projects/security/tld-idn-policy-list.html

    
    

    
  
Done.

Gerv

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: