Re: IDN problem.... :(

From: John Hudson (tiro@tiro.com)
Date: Thu Feb 10 2005 - 17:41:39 CST

  • Next message: Adam Twardoch: "Re: IDN problem.... :("

    John Burger wrote:

    > Here's a popular press description of the problem
    >
    > http://www.macworld.com/news/2005/02/08/spoof/index.php
    >
    > which points to a test for it at Secunia.com. (They registered
    > paypal.com spelled with a Cyrillic "a".) Ironically, IE doesn't fall
    > for the spoof, because it apparently doesn't handle IDNs. Of course,
    > from a user interface perspective, browsers need to do something about
    > this, but I find it annoying that it's described as a "security flaw".
    > My browser doesn't warn me about g00g1e.com yet, either.

    The security issue is simply due to the fact that some characters typically look identical
    to other characters. So change the appearance. There are several ways in which this could
    be done, but most of them rely on users being observant, especially of their address bar,
    since this is the only place in which browsers can reliably control the display of URLs.
    One method would be to display characters from different Unicode ranges in different
    colours in address bar URLs, another would be to use special fonts for the address bar
    which make clear glyph distinctions between characters. The former does not address all
    possible character spoofing, since there are some single ranges that contain characters
    that can take identical forms, e.g. the numerous Arabic characters that share the circular
    heh form in isolation.

    John Hudson

    -- 
    Tiro Typeworks        www.tiro.com
    Vancouver, BC        tiro@tiro.com
    Currently reading:
    Library: an unquiet history, by Matthew Battles
    The peasant of the Garonne, by Jacques Maritain
    


    This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 17:42:39 CST