Ability to disallow confusing unicode characters to prevent homoglyph phishing attacks #157
Comments
|
I'm reluctant to address security issues like this without fully understanding a specific use case that we're trying to solve because then I have a feature that I don't know if it solves a problem. For example I'm not sure whether the confusable characters lost actually solves the problem or if it just removes some cases but leaves open exploitable possibilities. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
When emails contain unicode characters that look similar to ascii characters, an attack vector is possible anytime we display the unicode email as an identifier of a user without punycode encoding the displayed email.
It would be nice to have an option to make confusing unicode characters fail email validation, but might be outside the scope of this library since it depends on the external confusables.txt data file from unicode.org?
The Unicode Consortium's Visual Spoofing Recommendations agree with this solution as a better alternative than blocking all unicode characters in domains and emails.
The text was updated successfully, but these errors were encountered: