#1347 Create countermeasure against "Unicode forgery"

Reporter Thomas Leister
Owner Zash
Created
Updated
Stars ★ (1)
Tags
  • Milestone-0.12
  • Security
  • Priority-Medium
  • Type-Defect
  • Status-Fixed
  1. Thomas Leister on

    A user on trashserver.net just created an account with the ID "admin@trashserver.net" by using a cyrillic "a" instead of a latin "a". For the server there's two different user names, but for the XMPP users there seems to be only one "admin". They cannot distinguish between the latin and the cyrillic "a" on their displays. Also see: https://www.xudongz.com/blog/2017/idn-phishing/ Prosody should prevent such unicode attacks on registration.

  2. Zash on

    Thanks for the suggestion. This topic is covered by https://www.unicode.org/reports/tr36/ and http://www.unicode.org/reports/tr39/ Work on this was actually started long ago by Florob, but it was never merged for some reason. The main difficulty is the library situation. By default Prosody uses the GNU libidn library for Unicode related operations and it doesn't provide anything for confusables. It does not help that it is deprecated in favor of libidn2 which does provides even fewer features. Also see #533

    Changes
    • tags Status-New Priority-High Status-Accepted Priority-Medium
  3. Zash on

    Note that this has been a known issue in XMPP for years, no point in hiding it.

    Changes
    • tags Hidden
  4. Zash on

    Changes
    • owner Zash
    • tags Milestone-0.12 Status-Started
  5. Zash on

    Fixed in https://hg.prosody.im/trunk/rev/73a447249fe4 :: 9cb639ef5c72 Currently only available if Prosody is built with ICU, which is not the default.

    Changes
    • tags Status-Fixed

New comment

Not published. Used for spam prevention and optional update notifications.