W3C home > Mailing lists > Public > www-international@w3.org > January to March 2005

Re: IDN problem.... :(

From: by way of Martin Duerst <tiro@tiro.com>
Date: Sun, 13 Feb 2005 16:38:37 +0900
Message-Id: <6.0.0.20.2.20050213163829.0731e580@localhost>
To: www-international@w3.org




John Burger wrote:

>Here's a popular press description of the problem
>   http://www.macworld.com/news/2005/02/08/spoof/index.php
>which points to a test for it at Secunia.com.  (They registered paypal.com 
>spelled with a Cyrillic "a".)  Ironically, IE doesn't fall for the spoof, 
>because it apparently doesn't handle IDNs.  Of course, from a user 
>interface perspective, browsers need to do something about this, but I 
>find it annoying that it's described as a "security flaw".
>My browser doesn't warn me about g00g1e.com yet, either.

The security issue is simply due to the fact that some characters 
typically look identical to other characters. So change the appearance. 
There are several ways in which this could be done, but most of them rely 
on users being observant, especially of their address bar, since this is 
the only place in which browsers can reliably control the display of URLs. 
One method would be to display characters from different Unicode ranges in 
different colours in address bar URLs, another would be to use special 
fonts for the address bar which make clear glyph distinctions between 
characters. The former does not address all possible character spoofing, 
since there are some single ranges that contain characters that can take 
identical forms, e.g. the numerous Arabic characters that share the 
circular heh form in isolation.

John Hudson

--

Tiro Typeworks        www.tiro.com
Vancouver, BC        tiro@tiro.com

Currently reading:
Library: an unquiet history, by Matthew Battles
The peasant of the Garonne, by Jacques Maritain
Received on Monday, 14 February 2005 00:53:12 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:04 GMT