W3C home > Mailing lists > Public > www-international@w3.org > January to March 2005

Re: IDN problem.... :(

From: Frank Yung-Fong Tang <ytang0648@aol.com>
Date: Wed, 16 Feb 2005 10:59:48 -0500
To: kuro@sonic.net
cc: "Unicode Mailing List" <unicode@unicode.org>, www-international@w3.org, "Martin Duerst" <duerst@w3.org>
Message-ID: <42136DF4.30308@aol.com>



KUROSAKA Teruhiko wrote on 2/15/2005, 2:07 AM:

 > Hello everybody (although I don't think my posting would
 > go through to Unicode mailing list),
 >
 > I don't see this a Unicode problem or IDN problem,
 > because the same problem existed before IDN.  Using
 > a certain font, "1" (one) and "l" (el) look almost same,
 > and "0" (zero) and "O" (capital oh) look similar.
 > If I don't see them very closely, I wouldn't be able to
 > tell goog1e.com isn't google.com. (Can you?)

There are some differences between 'almost the same' from 'they should 
be exactly the same'.

 >
 > Sure allowing any Unicode characters raised the issue
 > to the new level, but I wouldn't blame Unicode or IDN
 > for that.  I'd blame the bad guys who try to cheat
 > innocent users!

Well... if I forgot to lock our door and therefore a bad guy get into 
our home, I will blame both the bad guy who perform such act, and also 
myself who didn't protect my family properly as what I should. And after 
I experience it the first time, I will ensure I always lock my door and 
window. It will be a bad idea to assume that responsibility fall into 
other people's plate. I think both Unicode and IDN standard body should 
take pro active action, in term of spec out some guideline, to prevent 
spoofing identity happen in other places (protocol) in the future when 
extend some identify mechanism to accept Unicode so non English speaking 
community (or I should say community that need more than ASCII 
characters to express their identity) can be empowered as they should be 
without hurting existing usage.

 >
 > I would take this issue just like any other security
 > issues.  Find out what the bad guys doing and build
 > a way to defend users from the bad guys.

Agree. But I think this is not limited to IDN only. Any future protocol 
which extend to accept Unicode as identity will face the same issue. We 
need to address this issue in both the IDN level for the short term, and 
we need to address this issue for future protocol that will use Unicode 
as entity identifier.

 >
 > Coloring the scripts seem to be a good first step.
 > Since "Mam and Dad" may not understand what they mean,
 > the browser should also have a heuristic/statistical
 > engine that detects suspicious URLs, perhaps consisting of
 > only ASCII looking characters of other scripts, and
 > warn the user before it realy access them.

What happen if the user is color blind? Isn't that approach contradict 
with W3C accessiblity guideline? I guess no body use black and white 
monitor anymore....

 >
 > --
 > KUROSAKA ("Kuro") Teruhiko, San Francisco, California, USA
 > Internationalization Consultant
 > http://www.bhlab.com/
 >
Received on Wednesday, 16 February 2005 16:00:32 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:04 GMT