Internationalized Domain Names (IDN) in GoogleChrome

Google Chrome中的國際化域名（IDN）

Background

背景

Many years ago, domains could only consist of the Latin letters A to Z,digits, and a few other characters. Internationalized Domain Names (IDNs) were created to better support non-Latinalphabets for web users around the globe.

許多年前，域名只能由拉丁字母A到Z、數(shù)字和其他幾個字符組成。創(chuàng)建國際化域名（IDN）是為了更好地支持全球互聯(lián)網(wǎng)用戶的非拉丁字符的使用。

Different characters from different (or even the same!) languages can lookvery similar. We’ve seen reports of proof-of-concept attacks. These arecalled homograph attacks. For example, the Latin “a” looks a lot like the Cyrillic“а”, so someone could register http://ebаy.com (usingCyrillic “а”), which could be confused for http://ebay.com. This is a limitation of how URLs are displayed in browsers in general,not a specific bug in Chrome.

來自不同語言（甚至相同語言！）的不同字符看起來可能非常相似。我們已經(jīng)看到了概念驗證攻擊的報告。這些被稱為同形異義字攻擊。例如，拉丁語“a”看起來很像西里爾語“a”，所以有人可以注冊http://ebаy.com（使用西里爾語“а”），這可能會與http://ebay.com混淆。這不是Chrome中的漏洞，而是URL在瀏覽器中顯示方式局限性的問題。

In a perfect world, domain registrars would not allow these confusabledomain names to be registered. Some domain registrars do exactly that, mostlyby restricting the characters allowed, but many do not. To better protectagainst these attacks, browsers display some domains in punycode(lookslike xn--...) instead of the original IDN, according to their own IDN policies.

在理想情況下，域名注冊商不會允許注冊這些易混淆的域名。一些域名注冊商通過限制字符，來禁止注冊易混淆的域名，但許多注冊商沒有限制。為了更好地抵御這些攻擊，瀏覽器根據(jù)自己的IDN策略，以punycode（看起來像xn--...）顯示域名，而不顯示原始的IDN。

This is a challenging problem space. Chrome has a global user base ofbillions of people around the world, many of whom are not viewing URLs withLatin letters. We want to prevent confusion, while ensuring that users acrosslanguages have a great experience in Chrome. Displaying either punycode or avisible security warning on too wide of a set of URLs would hurt web usabilityfor people around the world.

這是一個具有挑戰(zhàn)性的問題。Chrome擁有全球數(shù)十億人的用戶群，其中許多人不訪問使用拉丁字母的URL。我們希望可以防止混淆，同時確?？缯Z言的用戶在Chrome中擁有良好的體驗。在很長的URL中顯示punycode或可見的安全警告，將損害世界各地人民的網(wǎng)絡(luò)可用性。

Chrome and other browsers try to balance these needs by implementing IDNpolicies in a way that allows IDN to be shown for valid domains, but protectsagainst confusable homograph attacks.

Chrome和其他瀏覽器試圖通過實施IDN策略來平衡這些需求，該策略允許IDN顯示為有效域名，且可以防止易混淆的同形異義字的攻擊。

Chrome's IDN policy is one of several tools that aim to protectusers. Google Safe Browsing continuesto help protect over two billion devices every day by showing warnings to userswhen they attempt to navigate to dangerous or deceptive sites or downloaddangerous files. Password managers continue to remember which domain passwordlogins are for, and won’t automatically fill a password into a domain that is not theexactly correct one.

Chrome的IDN政策是旨在保護用戶的幾種工具之一。GoogleSafe Browsing每天持續(xù)幫助保護超過20億臺設(shè)備，當(dāng)用戶試圖跳轉(zhuǎn)到危險或欺騙性網(wǎng)站或下載危險文件時向他們發(fā)出警告。密碼管理器記住使用密碼的域名，并且不會自動將密碼填充到不正確的域名中。

How IDN works

IDN的工作原理

IDNs were devised to support arbitrary Unicode characters in hostnames ina backward-compatible way. This works by having user agents transform hostnamescontaining non-ASCII Unicode characters into an ASCII-only hostname, which canthen be sent on to DNS servers. This is done by encoding each domain label intoits punycode representation. This representation includes a four-characterprefix (xn--) and then the unicode translated to ASCII Compatible Encoding (ACE). Forexample, http://?bb.at is transformed to http://xn--bb-eka.at.

IDN旨在以向后兼容的方式支持主機名中的任意Unicode字符。這個工作是通過用戶代理將包含非ASCII Unicode字符的主機名轉(zhuǎn)換為僅限ASCII的主機名，然后發(fā)送到DNS服務(wù)器。這是通過將每個域名標(biāo)簽編碼到其punycode表示形式來實現(xiàn)的。此表示形式包括一個四個字符的前綴（xn--），然后翻譯成ASCII兼容編碼（ACE）的unicode。例如，http://?bb.at轉(zhuǎn)換為http://xn--bb-eka.at。

Google Chrome's IDN policy

Google Chrome的IDN政策

Since Chrome 51, Chrome uses an IDN display policy that does not take intoaccount the language settings (the Accept-Language list) of the browser.A similar strategy is used by Firefox.

自Chrome51以來，Chrome使用的IDN顯示策略不考慮瀏覽器的語言設(shè)置（接受語言列表）。Firefox使用類似的策略。

Google Chrome decides if it should show Unicode or punycode for eachdomain label (component) of a hostname separately. To decide if a componentshould be shown in Unicode, Google Chrome uses the following algorithm:

GoogleChrome決定是否應(yīng)該為主機名的每個域名標(biāo)簽（稱為組件）分別顯示Unicode或punycode。為了決定組件是否應(yīng)該以Unicode中顯示，Google Chrome使用以下算法：

1.    Converteach component stored in the ACE to Unicode per UTS 46 transitional processing (ToUnicode).

1.     根據(jù)UTS46過渡處理（ToUnicode），將存儲在ACE中的每個組件轉(zhuǎn)換為Unicode。

2.    If there isan error in ToUnicode conversion (e.g. contains disallowed characters, starts with a combining mark, or violates BiDi rules), show punycode.

2.     如果ToUnicode轉(zhuǎn)換中出現(xiàn)錯誤（例如，包含不允許的字符、以組合標(biāo)記開頭或違反BiDi規(guī)則），則顯示punycode。

3.    If there isa character in a label not belonging to Characters allowed in identifiers per Unicode Technical Standard 39 (UTS 39), show punycode.

3.     如果標(biāo)簽中的字符不屬于Unicode技術(shù)標(biāo)準(zhǔn)39（UTS 39）標(biāo)識符中允許的字符，則顯示punycode。

4.    If anycharacter in a label belongs to the disallowed list, show punycode.

4.     如果標(biāo)簽中的任何字符屬于不允許的列表，則顯示punycode。

5.    If thecomponent uses characters drawn from multiple scripts, it is subject to ascript mixing check based on “Highly Restrictive” profile of UTS 39with an additional restriction on Latin. If thecomponent fails the check, show the component in punycode.

5.     如果組件使用從多個腳本中提取的字符，則需要根據(jù)UTS 39的“高度限制”配置文件進行腳本混合檢查，并對拉丁語有額外的限制。如果組件檢查失敗，則用punycode顯示組件。

·      Latin, Cyrillicor Greek characters cannot be mixed with each other

·      拉丁語、西里爾語或希臘語字符不能混合在一起

·      Latincharacters in the ASCII range can be mixed ONLY with Chinese (Han, Bopomofo),Japanese (Kanji, Katakana, Hiragana), or Korean (Hangul, Hanja)

·      ASCII范圍內(nèi)的拉丁字符只能與中文（漢字、注音符號）、日語（日語漢字、片假名、平假名）或韓語（韓語字母、韓語漢字）混合

·      Han (CJKIdeographs) can be mixed with Bopomofo

·      漢字（CJK表意文字）可以與注音符號混合

·      Han can bemixed with Hiragana and Katakana

·      漢字可以和平假名和片假名混合

·      Han can bemixed with Korean Hangul

·      漢字可以和韓國韓語字母混合

6.    If two ormore numbering systems (e.g. European digits + Bengali digits) are mixed, showpunycode.

6.     如果兩個或多個編號系統(tǒng)混合（例如歐洲數(shù)字+孟加拉數(shù)字），則顯示punycode。

7.    If thereare any invisible characters (e.g. a sequence of the same combining mark or asequence of Kana combining marks), show punycode.

7.     如果有任何不可見的字符（例如相同組合標(biāo)記的序列或假名組合標(biāo)記的序列），則顯示punycode。

8.    If thereare any characters used in an unusual way, show punycode. E.g. LATIN MIDDLE DOT (·) usedoutside elageminada.

8.     如果有任何字符以不尋常的方式使用，則顯示punycode。例如，拉丁的中間的點 (·) 在 ela geminada 之外使用。

9.    Test thelabel for mixed script confusable per UTS 39. If mixed script confusable is detected, showpunycode.

9.     根據(jù)UTS 39測試混合字符的標(biāo)簽。如果檢測到混合字符可混淆，則punycode。

10. Test thelabel for whole script confusables: If all the letters in a given label belong to a setof whole-script-confusable letters in one of the whole-script-confusable scripts and if the hostname doesn't have acorresponding allowed top-level-domain for that script, show punycode. Examplefor Cyrillic: The first label in hostname арр?е.com (xn--80ak6aa92e.com) isall Cyrillic letters that look like Latinletters AND theTLD (com) is not Cyrillic AND the TLD is not one of the TLDsknown to host a large number of Cyrillic domains (e.g. ru, su, pyc, ua). Show itin punycode.

10.  測試全腳本可混淆的標(biāo)簽：如果給定標(biāo)簽中的所有字母都屬于一個全腳本可混淆腳本中的一組全腳本可混淆字母，并且主機名沒有相應(yīng)的允許的頂級域名，則顯示punycode。西里爾字母示例：主機名арр?е.com（xn--80ak6aa92e.com）中的第一個標(biāo)簽是看起來像拉丁字母的西里爾字母，并且TLD（com）不是西里爾字母，并且該TLD不是已知托管大量西里爾域名的TLD之一（例如ru、su、pyc、ua）。顯示punycode。

11. If thelabel contains only digits and digit spoofs, show punycode.

11.  如果標(biāo)簽只包含數(shù)字和數(shù)字欺騙，將顯示punycode。

12. If thelabel matches a dangerous pattern, show punycode.

12.  如果標(biāo)簽與危險圖案匹配，將顯示punycode。

13. Ifthe skeleton of the registrable part of a hostname isidentical to one of the top domains after removing diacritic marks and mappingeach character to its spoofing skeleton (e.g. www.googlé.com with é inplace of e), show punycode.

13.  如果在刪除變音符號并將每個字符映射到其欺騙性結(jié)構(gòu)（例如www.googlé.com用é代替e）后，主機名可注冊部分的結(jié)構(gòu)與頂級域之一相同，則顯示punycode。

Otherwise, show Unicode.

否則，則顯示Unicode。

This is implemented by IDNToUnicodeOneComponent() and IsIDNComponentSafe() in components/url_formatter/url_formatter.ccand IDNSpoofChecker classin components/url_formatter/spoof_checks/idn_spoof_checker.cc.

這由components/url_formatter/url_formatter.cc中的IDNToUnicodeOneComponent()和IsIDNComponentSafe()以及components/url_formatter/spoof_checks/idn_spoof_checker.cc中的IDNSpoofChecker類實現(xiàn)。

Additional Protections

額外保護

In addition to the spoof checks above, Chrome also implements a full pagesecurity warning to protect against lookalike URLs. You can find an example ofthis warning at chrome://interstitials/lookalike. Thiswarning blocks main frame navigations that involve lookalike URLs, either as adirect navigation or as part of a redirect.

除了上面的欺騙檢查外，Chrome還實現(xiàn)了全頁面安全警告，以防止類似的URL。您可以在chrome://interstitials/lookalike上找到此警告的示例。此警告會阻止涉及相似URL的主框架導(dǎo)航，無論是作為直接導(dǎo)航還是重定向的一部分。

The algorithm to show this warning is as follows:

顯示此警告的算法如下：

1.    If thescheme of the navigation is not http or https, allow thenavigation.

1.     如果導(dǎo)航方案不是http或https，則允許導(dǎo)航。

2.    If thenavigation is a redirect, check the redirect chain. If the redirect chain issafe, allow the navigation. (See Defensive Registrations section for details).

2.     如果導(dǎo)航是重定向，將檢查重定向鏈。如果重定向鏈?zhǔn)前踩模瑒t允許導(dǎo)航。（詳情請參閱防御性注冊部分）。

3.    If thehostname of the navigation has at least a medium site engagement score, allowthe navigation. Site engagement score is assigned to sites by the Site Engagement Service.

3.     如果導(dǎo)航的主機名至少具有中等網(wǎng)站參與度分?jǐn)?shù)，則允許導(dǎo)航。網(wǎng)站參與度分?jǐn)?shù)由網(wǎng)站參與服務(wù)分配給網(wǎng)站。

4.    If thehostname of the navigation is in domains.list,allow the navigation.

4.     如果導(dǎo)航的主機名在domains.list，則允許導(dǎo)航。

5.    If the userpreviously allowed the hostname of the navigation by clicking “Ignore” in the warning, allowthe navigation. Currently, user decisions are stored per tab, so navigating tothe same site in a new tab may show the warning.

5.     如果用戶之前通過單擊警告中的“忽略”允許導(dǎo)航的主機名，則允許導(dǎo)航。目前，用戶決策按選項卡存儲，因此在新選項卡中導(dǎo)航到同一網(wǎng)站可能會顯示警告。

6.    If thehostname has the same skeleton as a recently engaged site or a top 500 domain,block the navigation and show the warning.

6.     如果用戶之前通過單擊警告中的“忽略”允許導(dǎo)航的主機名，則允許導(dǎo)航。目前，用戶決策按選項卡存儲，因此在新選項卡中導(dǎo)航到同一網(wǎng)站可能會顯示警告。

All of these checks are done locally on the client side.

所有這些檢查都是在客戶端本地完成的。

Defensive Registrations

防御性注冊

Domain owners can sometimes register multiple versions of their domains,such as the ASCII and IDN versions, to improve user experience and preventpotential spoofs. We call these supplementary domains defensive registrations.

域名所有者有時可以注冊其域名的多個版本，如ASCII和IDN版本，以改善用戶體驗并防止?jié)撛诘钠垓_。我們稱這些補充域名為防御性注冊。

In some cases, Chrome's lookalike warning may flag and block navigationsto these domains:

在某些情況下，Chrome的相似警告可能會標(biāo)記和阻止導(dǎo)航到以下域名：

·      If one ofthe sites is in domains.list butthe other isn't, the latter will be blocked.

·      如果其中一個網(wǎng)站在domains.list中，而另一個不在，后者將被阻止。

·      If the userengaged with one of the sites but not the other, the latter will be blocked.

·      如果用戶使用其中一個網(wǎng)站，但不與另一個網(wǎng)站互動，后者將被阻止。

Avoiding a lookalike warning on your site

避免在您的網(wǎng)站上出現(xiàn)相似警告

Domain owners can avoid the “Did you mean” warning by redirecting theirdefensive registrations to their canonical domain.

域名所有者可以通過將防御性注冊重定向到主域名來避免“你是說”警告。

Example: If youown both example.com and éxample.com and the majority of your traffic is to example.com, you can fix the warning by redirecting éxample.com to example.com. The lookalike warning logic considers this a safe redirect and allowsthe navigation. If you must also redirect http navigationsto https, do this in a single redirect such as http://éxample.com -> https://example.com. Use HTTP 301 or HTTP 302 redirects, the lookalikewarning ignores meta redirects.

示例：如果您同時擁有 example.com 和 éxample.com，并且您的大部分流量都流向了 example.com，您可以通過將éxample.com 重定向到 example.com 來修復(fù)警告。相似警告邏輯認(rèn)為這是一個安全的重定向并允許導(dǎo)航。如果您必須將 http 導(dǎo)航重定向到 https，請在單個重定向中執(zhí)行此操作，例如 http://éxample.com ->https://example.com。使用 HTTP 301 或 HTTP 302 重定向，相似警告會忽略元重定向。

Reporting Security Bugs

報告安全漏洞

We reward certain cases of IDN spoofs according to Chrome's Vulnerability Reward Program policies. Please see this document before reporting a security bug.

我們會根據(jù)Chrome的漏洞獎勵計劃政策獎勵某些IDN欺詐案件。在報告安全漏洞之前，請參閱此文檔。

Poweredby Gitiles| Privacy