Re: [xri] GCS Spoofing

[Chetan Sabnis <chetan.sabnis@epok.net>]

Great find.  I think the TC needs to address this in order for XRIs to 
be used as links in an email, as URIs would be used in an email today.  
The authority accessed by the resource needs to be be well-understood 
based on looking at the XRI if XRIs are indeed intended for human 
viewing.  I think this is not a GCS-only issue.  It certainly seems like 
the potential is there to spoof authorities in private cross-reference 
domains as well.

Forgive my ignorance, but does the IRI spec address this?  It seems like 
there might be some guidance there.

Chetan

William Tan wrote:

> The ABNF for XRI accommodates two types of authority: XRI authority 
> and IRI authority.
> An XRI authority must begin with a GCS character: "!", "=", "@", "+" 
> or "$". However, if the XRI reference begins with a character that is 
> visually indistinguishable from one of the GCS characters, and the 
> code point is allowed in the the "iunreserved" production, a machine 
> processor would treat it as an IRI authority. This may be a cause for 
> concern since it opens the door for spoofing. For example, an actual 
> XRI may be: xri://@paypal*services/send-money
>
> and it could be spoofed (although not exactly) by using:
>
> xri://@paypal*services/send-money/sub.bad-domain.com/trustme.html
>
> And the "@" sign above is U+FE6B (small commercial at), "*" is U+FE61 
> (small asterisk), and the 4th and 5th "/" are U+2215 (division slash). 
> In effect, the XRI would be interpreted as having an IRI authority (an 
> IDN) of: "@paypal*services/send-money/sub.bad-domain.com". This is 
> possible largely because IDNA allows the slash-like character in an 
> IDN label, giving rise to the possibility of syntax spoofing. And 
> because sub domains appear to right of their parent domains, the 
> malicious domain can be created as a third (or higher) level sub 
> domain so that it is outside of the registry's control.
>
> This is merely a subclass of syntax spoofing homograph attacks on IDN 
> which applies to XRIs.
>
> I'm not sure where is the best place to address it, or if it would 
> even be deemed a problem that the XRI TC would want to solve. If we 
> do, there are at least ways to go about fixing it, at the syntax level 
> (i.e. by mapping or limiting the use of GCS characters) or as a 
> recommendation for XRI clients to disallow or warn the user of 
> GCS-like characters appearing at the beginning of an XRI reference.
>
> wil.
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in 
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php