RE: For review: An Introduction to Multilingual Web Addresses from Richard Ishida on 2007-03-22 (www-international@w3.org from January to March 2007)

From: Richard Ishida <ishida@w3.org>
Date: Thu, 22 Mar 2007 15:46:42 -0000
To: "'Frank Ellermann'" <nobody@xyzzy.claranet.de>
Cc: <www-international@w3.org>
Message-ID: <006701c76c99$50bda370$6401a8c0@rishida>

Hi Frank,

I was in fact alread thinking of adding a mention of the status bar, and
separating out the idea that you see the punycode in the status bar before
clicking on the link text, and in the address bar after the page has loaded.

See the latest version at
http://www.w3.org/International/articles/idn-and-iri/#phishing

RI

============
Richard Ishida
Internationalization Lead
W3C (World Wide Web Consortium)
 
http://www.w3.org/People/Ishida/
http://www.w3.org/International/
http://people.w3.org/rishida/blog/
http://www.flickr.com/photos/ishida/
 
 

> -----Original Message-----
> From: www-international-request@w3.org 
> [mailto:www-international-request@w3.org] On Behalf Of Frank Ellermann
> Sent: 10 March 2007 22:57
> To: www-international@w3.org
> Subject: Re: For review: An Introduction to Multilingual Web Addresses
> 
> 
> shen@cse.ust.hk quoted:
>  
> > "The typical way of alerting the user to a possible 
> homograph attack 
> > is to display the URI in the address bar in punycode rather than in 
> > the original Unicode characters."
> 
> Is it really the "address bar" ?  With my stoneage UAs the 
> focus URL is shown in the "status line".  And what other UAs 
> call "address line" (?) is the "location line" (for manual 
> URL input) with my old UAs.
> 
> There's a potential conflict:  If folks use the  <a 
> href="uri"> iri </a> approach, my UAs would show the URI in 
> their status line (as a kind of 'onmouseover' event).
> 
> If others use the  <a href="iri"> iri </a>  approach (BTW, 
> what kind of document is this, apparently not HTML 4.01 or 
> XHTML 1.0), then modern UAs behaving in the same way would 
> show the IRI in their status line.
> 
> And finally "smart" UAs somehow identifying a homograph 
> attack (without "calling home") would use the URI form to 
> alert users ?  Doesn't work for me, something's missing, how 
> about using a different colour (if we are talking about GUI 
> UAs directly read by their users, no text mode UA, or screen 
> readers on top of a GUI UA).
> 
> > There is no way for a lay user (or even a pro) to tell whether 
> > punycode indicates danger. Few people can recognize whether 
> a possible 
> > homograph attack is taking place.
> 
> Yes, and for paypa1 you'd need an upper case PAYPA1.  I don't 
> think that using punycode to indicate suspicious IRIs is a 
> good idea.  Showing it _always_ in the status line (for an UA 
> configured that way) could make sense for folks familiar with 
> Latin-1, but it won't help other users.
> 
> Frank
> 
> 
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.16/729 - Release Date: 21/03/2007
07:52

Received on Thursday, 22 March 2007 15:47:47 UTC