Re: Web font security issue? from Chris Lilley on 2011-03-16 (public-webfonts-wg@w3.org from March 2011)

From: Chris Lilley <chris@w3.org>
Date: Wed, 16 Mar 2011 20:12:55 +0100
To: John Hudson <tiro@tiro.com>
CC: WOFF Working Group FONT <public-webfonts-wg@w3.org>
Message-ID: <1855144581.20110316201255@w3.org>

On Wednesday, March 16, 2011, 7:39:41 PM, John wrote:

JH> This applies to any implementation of @font-face and served font, not 
JH> just WOFF.

JH> Unicode maintains a list of visually confusable characters that might be
JH> used in spoofing, e.g. a link on a website directed to miсrosoft.com, in
JH> which the letter 'c' is in microsoft is actually the Cyrillic letter 
JH> 'es'. This, obviously, is a security concern.

JH> It strikes me that the use of @font-face and served fonts effectively 
JH> makes all text potentially spoofable using nefarious fonts, e.g. a font
JH> that renders the text

JH>         givemecash.ca
JH> as
JH>         scotiabank.ca


Yes.

Which implies that browsers should not apply downloaded fonts in the address bar and in the status bar.


HTML already allows people to be misled:

<a href="http://www.givemecash.ca" 
title="http://scotiabank.ca">scotiabank.ca</a>



-- 
 Chris Lilley   Technical Director, Interaction Domain                 
 W3C Graphics Activity Lead, Fonts Activity Lead
 Co-Chair, W3C Hypertext CG
 Member, CSS, WebFonts, SVG Working Groups

Received on Wednesday, 16 March 2011 19:13:01 UTC