GCS Spoofing

[William Tan <william.tan@neustar.biz>]

The ABNF for XRI accommodates two types of authority: XRI authority and 
IRI authority.
An XRI authority must begin with a GCS character: "!", "=", "@", "+" or 
"$". However, if the XRI reference begins with a character that is 
visually indistinguishable from one of the GCS characters, and the code 
point is allowed in the the "iunreserved" production, a machine 
processor would treat it as an IRI authority. This may be a cause for 
concern since it opens the door for spoofing. For example, an actual XRI 
may be: xri://@paypal*services/send-money

and it could be spoofed (although not exactly) by using:

xri://@paypal*services/send-money/sub.bad-domain.com/trustme.html

And the "@" sign above is U+FE6B (small commercial at), "*" is U+FE61 
(small asterisk), and the 4th and 5th "/" are U+2215 (division slash). 
In effect, the XRI would be interpreted as having an IRI authority (an 
IDN) of: "@paypal*services/send-money/sub.bad-domain.com". This is 
possible largely because IDNA allows the slash-like character in an IDN 
label, giving rise to the possibility of syntax spoofing. And because 
sub domains appear to right of their parent domains, the malicious 
domain can be created as a third (or higher) level sub domain so that it 
is outside of the registry's control.

This is merely a subclass of syntax spoofing homograph attacks on IDN 
which applies to XRIs.

I'm not sure where is the best place to address it, or if it would even 
be deemed a problem that the XRI TC would want to solve. If we do, there 
are at least ways to go about fixing it, at the syntax level (i.e. by 
mapping or limiting the use of GCS characters) or as a recommendation 
for XRI clients to disallow or warn the user of GCS-like characters 
appearing at the beginning of an XRI reference.

wil.