- From: Frank Ellermann <nobody@xyzzy.claranet.de>
- Date: Sat, 10 Mar 2007 23:57:22 +0100
- To: www-international@w3.org
shen@cse.ust.hk quoted: > "The typical way of alerting the user to a possible homograph attack is to > display the URI in the address bar in punycode rather than in the original > Unicode characters." Is it really the "address bar" ? With my stoneage UAs the focus URL is shown in the "status line". And what other UAs call "address line" (?) is the "location line" (for manual URL input) with my old UAs. There's a potential conflict: If folks use the <a href="uri"> iri </a> approach, my UAs would show the URI in their status line (as a kind of 'onmouseover' event). If others use the <a href="iri"> iri </a> approach (BTW, what kind of document is this, apparently not HTML 4.01 or XHTML 1.0), then modern UAs behaving in the same way would show the IRI in their status line. And finally "smart" UAs somehow identifying a homograph attack (without "calling home") would use the URI form to alert users ? Doesn't work for me, something's missing, how about using a different colour (if we are talking about GUI UAs directly read by their users, no text mode UA, or screen readers on top of a GUI UA). > There is no way for a lay user (or even a pro) to tell whether punycode > indicates danger. Few people can recognize whether a possible homograph > attack is taking place. Yes, and for paypa1 you'd need an upper case PAYPA1. I don't think that using punycode to indicate suspicious IRIs is a good idea. Showing it _always_ in the status line (for an UA configured that way) could make sense for folks familiar with Latin-1, but it won't help other users. Frank
Received on Saturday, 10 March 2007 22:59:34 UTC