[PATCH] reduce false positives of mailto: link detection

Ingo Klöcker kloecker at kde.org
Fri Mar 25 15:56:34 GMT 2005

On Friday 25 March 2005 16:12, Thiago Macieira wrote:
> Ingo Klöcker wrote:
> >Depending on the font mail at kde.org and mail at kdе.org look the same.
> > OTOH, (almost) the same problem exists with mail at spiegel.de and
> >mail at spiegeI.de.
> The source code reveals a Cyrillic e in the second email, but other
> than that, I would never have guessed. The e's look exactly the same
> to me.
> As for spiegel.de, I can't see any difference even in the email
> source code.

:-), click on both addresses to see the difference in the composer. I 
just gave this example to show that homograph attacks existed already 
before IDNs were introduced. Of course, the normalization of domain 
names to lower case prevents confusion of 'l' and 'I' while it doesn't 
prevent confusion of 'e' and 'е'.

> > Email addresses with IDNs
> >don't work correctly though while URLs with IDNs work.
> That's a bug.

Yeah, obviously.

> >How should we proceed?
> >a) Don't highlight any email addresses/URLs with non-ASCII chars in
> > the domain name?
> >b) Only highlight email addresses/URLs with IDNs for a whitelist of
> > TLDs (as in Konqueror)?
> >c) Highlight all email addresses/URLs, but show the ACE-encoded
> > domain in the status bar (and probably also in a tooltip) for the
> > bad TLDs?
> Don't bother too much with URLs launched in Konqueror. It's its job
> to warn the user about its effects.
> However, given the wide range of programs launchable from URLs in
> KMail, it might be considered a security risk to not warn. I am not
> sure what to do here. If we do show a warning when you click
> https://secure.kdе.org and then Konqueror shows it again when it
> loads, we will be annoying the user.

That's why I proposed c).

> As for email addresses, when you click them, it's kmail that gets
> launched (composer window). In that case, it's KMail's job to warn
> about insecure domains.


> Right now, the rules deep down in the resolver won't let you even
> consider the insecure domains because we will refuse to encode. So
> there's no way you can send an email to an insecure domain, short of
> writing the ACE form by hand. I don't consider there to be a security
> risk _right_ _now_.


> When we bring back some of the functionality, KMail & Konqueror and
> other programs that handle URLs will have to be modified to properly
> show the warnings.
> >Since this affects all apps which automatically highlight email
> >addresses/URLs I cc'ed kde-core-devel.
> I don't see a problem in highlighting, as long as you can never send
> the email to the phishing address, or you're properly warned. Hence
> what I said about it being the launched program's job to warn, not
> the one launching.

Okay. Then for now I'll just fix the above bug in KMail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20050325/de71bc2d/attachment.sig>
-------------- next part --------------
KMail developers mailing list
KMail-devel at kde.org

More information about the kde-core-devel mailing list