Email or username:

Password:

Forgot your password?
Top-level
Joel LeBlanc

@ariadne This looks like a Chromium bug because unicode is not permitted in domain names. I believe any standards compliant browser will first resolve the string in “punycode” (real name) which breaks the chain of possible exploits before a page gets loaded (see RFC 3490).

Perhaps some DNS pre-caching trick could work? I don’t think DNS has the same transcoding requirement (see the toASCII requirement)

< release the standard nerds! 😈>

1 comment
James Henstridge

@jwleblan @ariadne The domain name in the evil URL is plain ASCII. The non-ASCII characters are in the user name portion of the URL.

Go Up