Internationalized Domain Names (IDN) in GoogleChrome

Google Chrome中的國(guó)際化域名（IDN）

Background

背景

Many years ago, domains could only consist of the Latin letters A to Z,digits, and a few other characters. Internationalized Domain Names (IDNs) were created to better support non-Latinalphabets for web users around the globe.

許多年前，域名只能由拉丁字母A到Z、數(shù)字和其他幾個(gè)字符組成。創(chuàng)建國(guó)際化域名（IDN）是為了更好地支持全球互聯(lián)網(wǎng)用戶的非拉丁字符的使用。

Different characters from different (or even the same!) languages can lookvery similar. We’ve seen reports of proof-of-concept attacks. These arecalled homograph attacks. For example, the Latin “a” looks a lot like the Cyrillic“а”, so someone could register http://ebаy.com (usingCyrillic “а”), which could be confused for http://ebay.com. This is a limitation of how URLs are displayed in browsers in general,not a specific bug in Chrome.

來(lái)自不同語(yǔ)言（甚至相同語(yǔ)言?。┑牟煌址雌饋?lái)可能非常相似。我們已經(jīng)看到了概念驗(yàn)證攻擊的報(bào)告。這些被稱為同形異義字攻擊。例如，拉丁語(yǔ)“a”看起來(lái)很像西里爾語(yǔ)“a”，所以有人可以注冊(cè)http://ebаy.com（使用西里爾語(yǔ)“а”），這可能會(huì)與http://ebay.com混淆。這不是Chrome中的漏洞，而是URL在瀏覽器中顯示方式局限性的問(wèn)題。

In a perfect world, domain registrars would not allow these confusabledomain names to be registered. Some domain registrars do exactly that, mostlyby restricting the characters allowed, but many do not. To better protectagainst these attacks, browsers display some domains in punycode(lookslike xn--...) instead of the original IDN, according to their own IDN policies.

在理想情況下，域名注冊(cè)商不會(huì)允許注冊(cè)這些易混淆的域名。一些域名注冊(cè)商通過(guò)限制字符，來(lái)禁止注冊(cè)易混淆的域名，但許多注冊(cè)商沒(méi)有限制。為了更好地抵御這些攻擊，瀏覽器根據(jù)自己的IDN策略，以punycode（看起來(lái)像xn--...）顯示域名，而不顯示原始的IDN。

This is a challenging problem space. Chrome has a global user base ofbillions of people around the world, many of whom are not viewing URLs withLatin letters. We want to prevent confusion, while ensuring that users acrosslanguages have a great experience in Chrome. Displaying either punycode or avisible security warning on too wide of a set of URLs would hurt web usabilityfor people around the world.

這是一個(gè)具有挑戰(zhàn)性的問(wèn)題。Chrome擁有全球數(shù)十億人的用戶群，其中許多人不訪問(wèn)使用拉丁字母的URL。我們希望可以防止混淆，同時(shí)確?？缯Z(yǔ)言的用戶在Chrome中擁有良好的體驗(yàn)。在很長(zhǎng)的URL中顯示punycode或可見的安全警告，將損害世界各地人民的網(wǎng)絡(luò)可用性。

Chrome and other browsers try to balance these needs by implementing IDNpolicies in a way that allows IDN to be shown for valid domains, but protectsagainst confusable homograph attacks.

Chrome和其他瀏覽器試圖通過(guò)實(shí)施IDN策略來(lái)平衡這些需求，該策略允許IDN顯示為有效域名，且可以防止易混淆的同形異義字的攻擊。

Chrome's IDN policy is one of several tools that aim to protectusers. Google Safe Browsing continuesto help protect over two billion devices every day by showing warnings to userswhen they attempt to navigate to dangerous or deceptive sites or downloaddangerous files. Password managers continue to remember which domain passwordlogins are for, and won’t automatically fill a password into a domain that is not theexactly correct one.

Chrome的IDN政策是旨在保護(hù)用戶的幾種工具之一。GoogleSafe Browsing每天持續(xù)幫助保護(hù)超過(guò)20億臺(tái)設(shè)備，當(dāng)用戶試圖跳轉(zhuǎn)到危險(xiǎn)或欺騙性網(wǎng)站或下載危險(xiǎn)文件時(shí)向他們發(fā)出警告。密碼管理器記住使用密碼的域名，并且不會(huì)自動(dòng)將密碼填充到不正確的域名中。

How IDN works

IDN的工作原理

IDNs were devised to support arbitrary Unicode characters in hostnames ina backward-compatible way. This works by having user agents transform hostnamescontaining non-ASCII Unicode characters into an ASCII-only hostname, which canthen be sent on to DNS servers. This is done by encoding each domain label intoits punycode representation. This representation includes a four-characterprefix (xn--) and then the unicode translated to ASCII Compatible Encoding (ACE). Forexample, http://?bb.at is transformed to http://xn--bb-eka.at.

IDN旨在以向后兼容的方式支持主機(jī)名中的任意Unicode字符。這個(gè)工作是通過(guò)用戶代理將包含非ASCII Unicode字符的主機(jī)名轉(zhuǎn)換為僅限ASCII的主機(jī)名，然后發(fā)送到DNS服務(wù)器。這是通過(guò)將每個(gè)域名標(biāo)簽編碼到其punycode表示形式來(lái)實(shí)現(xiàn)的。此表示形式包括一個(gè)四個(gè)字符的前綴（xn--），然后翻譯成ASCII兼容編碼（ACE）的unicode。例如，http://?bb.at轉(zhuǎn)換為http://xn--bb-eka.at。

Google Chrome's IDN policy

Google Chrome的IDN政策

Since Chrome 51, Chrome uses an IDN display policy that does not take intoaccount the language settings (the Accept-Language list) of the browser.A similar strategy is used by Firefox.

自Chrome51以來(lái)，Chrome使用的IDN顯示策略不考慮瀏覽器的語(yǔ)言設(shè)置（接受語(yǔ)言列表）。Firefox使用類似的策略。

Google Chrome decides if it should show Unicode or punycode for eachdomain label (component) of a hostname separately. To decide if a componentshould be shown in Unicode, Google Chrome uses the following algorithm:

GoogleChrome決定是否應(yīng)該為主機(jī)名的每個(gè)域名標(biāo)簽（稱為組件）分別顯示Unicode或punycode。為了決定組件是否應(yīng)該以Unicode中顯示，Google Chrome使用以下算法：

1.    Converteach component stored in the ACE to Unicode per UTS 46 transitional processing (ToUnicode).

1.     根據(jù)UTS46過(guò)渡處理（ToUnicode），將存儲(chǔ)在ACE中的每個(gè)組件轉(zhuǎn)換為Unicode。

2.    If there isan error in ToUnicode conversion (e.g. contains disallowed characters, starts with a combining mark, or violates BiDi rules), show punycode.

2.     如果ToUnicode轉(zhuǎn)換中出現(xiàn)錯(cuò)誤（例如，包含不允許的字符、以組合標(biāo)記開頭或違反BiDi規(guī)則），則顯示punycode。

3.    If there isa character in a label not belonging to Characters allowed in identifiers per Unicode Technical Standard 39 (UTS 39), show punycode.

3.     如果標(biāo)簽中的字符不屬于Unicode技術(shù)標(biāo)準(zhǔn)39（UTS 39）標(biāo)識(shí)符中允許的字符，則顯示punycode。

4.    If anycharacter in a label belongs to the disallowed list, show punycode.

4.     如果標(biāo)簽中的任何字符屬于不允許的列表，則顯示punycode。

5.    If thecomponent uses characters drawn from multiple scripts, it is subject to ascript mixing check based on “Highly Restrictive” profile of UTS 39with an additional restriction on Latin. If thecomponent fails the check, show the component in punycode.

5.     如果組件使用從多個(gè)腳本中提取的字符，則需要根據(jù)UTS 39的“高度限制”配置文件進(jìn)行腳本混合檢查，并對(duì)拉丁語(yǔ)有額外的限制。如果組件檢查失敗，則用punycode顯示組件。

·      Latin, Cyrillicor Greek characters cannot be mixed with each other

·      拉丁語(yǔ)、西里爾語(yǔ)或希臘語(yǔ)字符不能混合在一起

·      Latincharacters in the ASCII range can be mixed ONLY with Chinese (Han, Bopomofo),Japanese (Kanji, Katakana, Hiragana), or Korean (Hangul, Hanja)

·      ASCII范圍內(nèi)的拉丁字符只能與中文（漢字、注音符號(hào)）、日語(yǔ)（日語(yǔ)漢字、片假名、平假名）或韓語(yǔ)（韓語(yǔ)字母、韓語(yǔ)漢字）混合

·      Han (CJKIdeographs) can be mixed with Bopomofo

·      漢字（CJK表意文字）可以與注音符號(hào)混合

·      Han can bemixed with Hiragana and Katakana

·      漢字可以和平假名和片假名混合

·      Han can bemixed with Korean Hangul

·      漢字可以和韓國(guó)韓語(yǔ)字母混合

6.    If two ormore numbering systems (e.g. European digits + Bengali digits) are mixed, showpunycode.

6.     如果兩個(gè)或多個(gè)編號(hào)系統(tǒng)混合（例如歐洲數(shù)字+孟加拉數(shù)字），則顯示punycode。

7.    If thereare any invisible characters (e.g. a sequence of the same combining mark or asequence of Kana combining marks), show punycode.

7.     如果有任何不可見的字符（例如相同組合標(biāo)記的序列或假名組合標(biāo)記的序列），則顯示punycode。

8.    If thereare any characters used in an unusual way, show punycode. E.g. LATIN MIDDLE DOT (·) usedoutside elageminada.

8.     如果有任何字符以不尋常的方式使用，則顯示punycode。例如，拉丁的中間的點(diǎn) (·) 在 ela geminada 之外使用。

9.    Test thelabel for mixed script confusable per UTS 39. If mixed script confusable is detected, showpunycode.

9.     根據(jù)UTS 39測(cè)試混合字符的標(biāo)簽。如果檢測(cè)到混合字符可混淆，則punycode。

10. Test thelabel for whole script confusables: If all the letters in a given label belong to a setof whole-script-confusable letters in one of the whole-script-confusable scripts and if the hostname doesn't have acorresponding allowed top-level-domain for that script, show punycode. Examplefor Cyrillic: The first label in hostname арр?е.com (xn--80ak6aa92e.com) isall Cyrillic letters that look like Latinletters AND theTLD (com) is not Cyrillic AND the TLD is not one of the TLDsknown to host a large number of Cyrillic domains (e.g. ru, su, pyc, ua). Show itin punycode.

10.  測(cè)試全腳本可混淆的標(biāo)簽：如果給定標(biāo)簽中的所有字母都屬于一個(gè)全腳本可混淆腳本中的一組全腳本可混淆字母，并且主機(jī)名沒(méi)有相應(yīng)的允許的頂級(jí)域名，則顯示punycode。西里爾字母示例：主機(jī)名арр?е.com（xn--80ak6aa92e.com）中的第一個(gè)標(biāo)簽是看起來(lái)像拉丁字母的西里爾字母，并且TLD（com）不是西里爾字母，并且該TLD不是已知托管大量西里爾域名的TLD之一（例如ru、su、pyc、ua）。顯示punycode。

11. If thelabel contains only digits and digit spoofs, show punycode.

11.  如果標(biāo)簽只包含數(shù)字和數(shù)字欺騙，將顯示punycode。

12. If thelabel matches a dangerous pattern, show punycode.

12.  如果標(biāo)簽與危險(xiǎn)圖案匹配，將顯示punycode。

13. Ifthe skeleton of the registrable part of a hostname isidentical to one of the top domains after removing diacritic marks and mappingeach character to its spoofing skeleton (e.g. www.googlé.com with é inplace of e), show punycode.

13.  如果在刪除變音符號(hào)并將每個(gè)字符映射到其欺騙性結(jié)構(gòu)（例如www.googlé.com用é代替e）后，主機(jī)名可注冊(cè)部分的結(jié)構(gòu)與頂級(jí)域之一相同，則顯示punycode。

Otherwise, show Unicode.

否則，則顯示Unicode。

This is implemented by IDNToUnicodeOneComponent() and IsIDNComponentSafe() in components/url_formatter/url_formatter.ccand IDNSpoofChecker classin components/url_formatter/spoof_checks/idn_spoof_checker.cc.

這由components/url_formatter/url_formatter.cc中的IDNToUnicodeOneComponent()和IsIDNComponentSafe()以及components/url_formatter/spoof_checks/idn_spoof_checker.cc中的IDNSpoofChecker類實(shí)現(xiàn)。

Additional Protections

額外保護(hù)

In addition to the spoof checks above, Chrome also implements a full pagesecurity warning to protect against lookalike URLs. You can find an example ofthis warning at chrome://interstitials/lookalike. Thiswarning blocks main frame navigations that involve lookalike URLs, either as adirect navigation or as part of a redirect.

除了上面的欺騙檢查外，Chrome還實(shí)現(xiàn)了全頁(yè)面安全警告，以防止類似的URL。您可以在chrome://interstitials/lookalike上找到此警告的示例。此警告會(huì)阻止涉及相似URL的主框架導(dǎo)航，無(wú)論是作為直接導(dǎo)航還是重定向的一部分。

The algorithm to show this warning is as follows:

顯示此警告的算法如下：

1.    If thescheme of the navigation is not http or https, allow thenavigation.

1.     如果導(dǎo)航方案不是http或https，則允許導(dǎo)航。

2.    If thenavigation is a redirect, check the redirect chain. If the redirect chain issafe, allow the navigation. (See Defensive Registrations section for details).

2.     如果導(dǎo)航是重定向，將檢查重定向鏈。如果重定向鏈?zhǔn)前踩?，則允許導(dǎo)航。（詳情請(qǐng)參閱防御性注冊(cè)部分）。

3.    If thehostname of the navigation has at least a medium site engagement score, allowthe navigation. Site engagement score is assigned to sites by the Site Engagement Service.

3.     如果導(dǎo)航的主機(jī)名至少具有中等網(wǎng)站參與度分?jǐn)?shù)，則允許導(dǎo)航。網(wǎng)站參與度分?jǐn)?shù)由網(wǎng)站參與服務(wù)分配給網(wǎng)站。

4.    If thehostname of the navigation is in domains.list,allow the navigation.

4.     如果導(dǎo)航的主機(jī)名在domains.list，則允許導(dǎo)航。

5.    If the userpreviously allowed the hostname of the navigation by clicking “Ignore” in the warning, allowthe navigation. Currently, user decisions are stored per tab, so navigating tothe same site in a new tab may show the warning.

5.     如果用戶之前通過(guò)單擊警告中的“忽略”允許導(dǎo)航的主機(jī)名，則允許導(dǎo)航。目前，用戶決策按選項(xiàng)卡存儲(chǔ)，因此在新選項(xiàng)卡中導(dǎo)航到同一網(wǎng)站可能會(huì)顯示警告。

6.    If thehostname has the same skeleton as a recently engaged site or a top 500 domain,block the navigation and show the warning.

6.     如果用戶之前通過(guò)單擊警告中的“忽略”允許導(dǎo)航的主機(jī)名，則允許導(dǎo)航。目前，用戶決策按選項(xiàng)卡存儲(chǔ)，因此在新選項(xiàng)卡中導(dǎo)航到同一網(wǎng)站可能會(huì)顯示警告。

All of these checks are done locally on the client side.

所有這些檢查都是在客戶端本地完成的。

Defensive Registrations

防御性注冊(cè)

Domain owners can sometimes register multiple versions of their domains,such as the ASCII and IDN versions, to improve user experience and preventpotential spoofs. We call these supplementary domains defensive registrations.

域名所有者有時(shí)可以注冊(cè)其域名的多個(gè)版本，如ASCII和IDN版本，以改善用戶體驗(yàn)并防止?jié)撛诘钠垓_。我們稱這些補(bǔ)充域名為防御性注冊(cè)。

In some cases, Chrome's lookalike warning may flag and block navigationsto these domains:

在某些情況下，Chrome的相似警告可能會(huì)標(biāo)記和阻止導(dǎo)航到以下域名：

·      If one ofthe sites is in domains.list butthe other isn't, the latter will be blocked.

·      如果其中一個(gè)網(wǎng)站在domains.list中，而另一個(gè)不在，后者將被阻止。

·      If the userengaged with one of the sites but not the other, the latter will be blocked.

·      如果用戶使用其中一個(gè)網(wǎng)站，但不與另一個(gè)網(wǎng)站互動(dòng)，后者將被阻止。

Avoiding a lookalike warning on your site

避免在您的網(wǎng)站上出現(xiàn)相似警告

Domain owners can avoid the “Did you mean” warning by redirecting theirdefensive registrations to their canonical domain.

域名所有者可以通過(guò)將防御性注冊(cè)重定向到主域名來(lái)避免“你是說(shuō)”警告。

Example: If youown both example.com and éxample.com and the majority of your traffic is to example.com, you can fix the warning by redirecting éxample.com to example.com. The lookalike warning logic considers this a safe redirect and allowsthe navigation. If you must also redirect http navigationsto https, do this in a single redirect such as http://éxample.com -> https://example.com. Use HTTP 301 or HTTP 302 redirects, the lookalikewarning ignores meta redirects.

示例：如果您同時(shí)擁有 example.com 和 éxample.com，并且您的大部分流量都流向了 example.com，您可以通過(guò)將éxample.com 重定向到 example.com 來(lái)修復(fù)警告。相似警告邏輯認(rèn)為這是一個(gè)安全的重定向并允許導(dǎo)航。如果您必須將 http 導(dǎo)航重定向到 https，請(qǐng)?jiān)趩蝹€(gè)重定向中執(zhí)行此操作，例如 http://éxample.com ->https://example.com。使用 HTTP 301 或 HTTP 302 重定向，相似警告會(huì)忽略元重定向。

Reporting Security Bugs

報(bào)告安全漏洞

We reward certain cases of IDN spoofs according to Chrome's Vulnerability Reward Program policies. Please see this document before reporting a security bug.

我們會(huì)根據(jù)Chrome的漏洞獎(jiǎng)勵(lì)計(jì)劃政策獎(jiǎng)勵(lì)某些IDN欺詐案件。在報(bào)告安全漏洞之前，請(qǐng)參閱此文檔。

Poweredby Gitiles| Privacy