W3C home > Mailing lists > Public > www-international@w3.org > January to March 2007

Re: For review: An Introduction to Multilingual Web Addresses

From: Frank Ellermann <nobody@xyzzy.claranet.de>
Date: Sat, 10 Mar 2007 23:57:22 +0100
To: www-international@w3.org
Message-ID: <45F337D2.761F@xyzzy.claranet.de>

shen@cse.ust.hk quoted:
> "The typical way of alerting the user to a possible homograph attack is to
> display the URI in the address bar in punycode rather than in the original
> Unicode characters."

Is it really the "address bar" ?  With my stoneage UAs the focus URL is
shown in the "status line".  And what other UAs call "address line" (?)
is the "location line" (for manual URL input) with my old UAs.

There's a potential conflict:  If folks use the  <a href="uri"> iri </a>
approach, my UAs would show the URI in their status line (as a kind of
'onmouseover' event).

If others use the  <a href="iri"> iri </a>  approach (BTW, what kind of
document is this, apparently not HTML 4.01 or XHTML 1.0), then modern
UAs behaving in the same way would show the IRI in their status line.

And finally "smart" UAs somehow identifying a homograph attack (without
"calling home") would use the URI form to alert users ?  Doesn't work
for me, something's missing, how about using a different colour (if we
are talking about GUI UAs directly read by their users, no text mode
UA, or screen readers on top of a GUI UA).

> There is no way for a lay user (or even a pro) to tell whether punycode
> indicates danger. Few people can recognize whether a possible homograph
> attack is taking place.

Yes, and for paypa1 you'd need an upper case PAYPA1.  I don't think that
using punycode to indicate suspicious IRIs is a good idea.  Showing it
_always_ in the status line (for an UA configured that way) could make
sense for folks familiar with Latin-1, but it won't help other users.

Received on Saturday, 10 March 2007 22:59:34 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:40:53 UTC