From: John Burger (john@mitre.org)
Date: Fri Feb 11 2005 - 18:04:42 CST
IANA et al. may eventually decide to restrict certain homographic
registrations, as some have suggested, and I think the idea of
detecting and flagging mixed-script IDNs has some merit. I think we
will in fact need multiple layers of protection against these
vulnerabilities.
I am surprised that some assume that any IANA-maintained list of
homographic characters will have to be human-maintained. As has been
observed, whether one domain-name is homographic with another is
font-dependent. It seems to me that it should be possible to determine
automatically, with high accuracy, which glyphs in a particular font
are near-homographic - it's essentially a specialized kind of OCR. The
Unicode tables provide a head-start on this. Then the user can be
warned if the current domain name is different from, but homographic
with, one that they have visited before, all with respect to the
current font. One can imagine building this into proxies, and thus
aggregating statistics on what is the most "popular" of the paypal.com
homographs.
Many improvements to this general scheme are of course possible, and it
needs to be combined with all of the other approaches people have
mentioned. As with many things, half a dozen 90% solutions might
approach the mythical 100% solution.
- John Burger
MITRE
This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 18:05:25 CST