- From: Frank Yung-Fong Tang <ytang0648@aol.com>
- Date: Wed, 16 Feb 2005 10:59:48 -0500
- To: kuro@sonic.net
- cc: "Unicode Mailing List" <unicode@unicode.org>, www-international@w3.org, "Martin Duerst" <duerst@w3.org>
KUROSAKA Teruhiko wrote on 2/15/2005, 2:07 AM: > Hello everybody (although I don't think my posting would > go through to Unicode mailing list), > > I don't see this a Unicode problem or IDN problem, > because the same problem existed before IDN. Using > a certain font, "1" (one) and "l" (el) look almost same, > and "0" (zero) and "O" (capital oh) look similar. > If I don't see them very closely, I wouldn't be able to > tell goog1e.com isn't google.com. (Can you?) There are some differences between 'almost the same' from 'they should be exactly the same'. > > Sure allowing any Unicode characters raised the issue > to the new level, but I wouldn't blame Unicode or IDN > for that. I'd blame the bad guys who try to cheat > innocent users! Well... if I forgot to lock our door and therefore a bad guy get into our home, I will blame both the bad guy who perform such act, and also myself who didn't protect my family properly as what I should. And after I experience it the first time, I will ensure I always lock my door and window. It will be a bad idea to assume that responsibility fall into other people's plate. I think both Unicode and IDN standard body should take pro active action, in term of spec out some guideline, to prevent spoofing identity happen in other places (protocol) in the future when extend some identify mechanism to accept Unicode so non English speaking community (or I should say community that need more than ASCII characters to express their identity) can be empowered as they should be without hurting existing usage. > > I would take this issue just like any other security > issues. Find out what the bad guys doing and build > a way to defend users from the bad guys. Agree. But I think this is not limited to IDN only. Any future protocol which extend to accept Unicode as identity will face the same issue. We need to address this issue in both the IDN level for the short term, and we need to address this issue for future protocol that will use Unicode as entity identifier. > > Coloring the scripts seem to be a good first step. > Since "Mam and Dad" may not understand what they mean, > the browser should also have a heuristic/statistical > engine that detects suspicious URLs, perhaps consisting of > only ASCII looking characters of other scripts, and > warn the user before it realy access them. What happen if the user is color blind? Isn't that approach contradict with W3C accessiblity guideline? I guess no body use black and white monitor anymore.... > > -- > KUROSAKA ("Kuro") Teruhiko, San Francisco, California, USA > Internationalization Consultant > http://www.bhlab.com/ >
Received on Wednesday, 16 February 2005 16:00:32 UTC