Re: IDN problem.... :( from Najib Tounsi on 2005-02-14 (www-international@w3.org from January to March 2005)

From: Najib Tounsi <ntounsi@emi.ac.ma>
Date: Mon, 14 Feb 2005 18:15:21 +0000
To: "John Hudson (by way of Martin Duerst <duerst@w3.org>)" <tiro@tiro.com>
CC: www-international@w3.org
Message-ID: <4210EAB9.9020208@emi.ac.ma>

John Hudson (by way of Martin Duerst <duerst@w3.org>) wrote:

>
>
>
>
> John Burger wrote:
>
>> Here's a popular press description of the problem
>>   http://www.macworld.com/news/2005/02/08/spoof/index.php
>> which points to a test for it at Secunia.com.  (They registered 
>> paypal.com spelled with a Cyrillic "a".)  Ironically, IE doesn't fall 
>> for the spoof, because it apparently doesn't handle IDNs.  Of course, 
>> from a user interface perspective, browsers need to do something 
>> about this, but I find it annoying that it's described as a "security 
>> flaw".
>> My browser doesn't warn me about g00g1e.com yet, either.
>
>
> The security issue is simply due to the fact that some characters 
> typically look identical to other characters. So change the 
> appearance. There are several ways in which this could be done, but 
> most of them rely on users being observant, especially of their 
> address bar, since this is the only place in which browsers can 
> reliably control the display of URLs. One method would be to display 
> characters from different Unicode ranges in different colours in 
> address bar URLs, 

This doesn't seem to be a really nice solution. But it might work.

:-)  Note that we could call this solution the "racist solution" :-)

> another would be to use special fonts for the address bar which make 
> clear glyph distinctions between characters. The former does not 
> address all possible character spoofing, since there are some single 
> ranges that contain characters that can take identical forms, e.g. the 
> numerous Arabic characters that share the circular heh form in isolation.

Exact, though the glyphs are slightly different in shape and position.
Here (attached) two images contaning the same text where  the two
shapes  (Heh and Digit 5) are interchanged.
image001:  3456 -- Heh Alif
image002:  34Heh6 -- 5 Alif

Najib Tounsi

>
> John Hudson
>
> -- 
>
> Tiro Typeworks        www.tiro.com
> Vancouver, BC        tiro@tiro.com
>
> Currently reading:
> Library: an unquiet history, by Matthew Battles
> The peasant of the Garonne, by Jacques Maritain
>
>
>
>
>

-- 
Najib TOUNSI (mailto:ntounsi@emi.ac.ma)
Ecole Mohammadia d'Ingenieurs,
BP 765 Agdal-RABAT Maroc (Morocco)
Phone : +212 (0) 37 68 71 74
Fax : +212 (0) 37 77 88 53
Mobile: +212 (0) 61 22 00 30

Attachments

image/gif attachment: IMAGE001.GIF
image/gif attachment: IMAGE002.GIF

Received on Monday, 14 February 2005 18:14:34 UTC