W3C home > Mailing lists > Public > www-tag@w3.org > February 2010

spoofing and IRIs

From: Larry Masinter <LMM@acm.org>
Date: Sat, 27 Feb 2010 21:12:15 -0800
To: <public-iri@w3.org>
Cc: <markdavis@google.com>, <michel@suignard.com>
Message-ID: <000501cab834$98f9fa50$caedeef0$@org>
(bcc to www-tag@w3.org for W3C TAG ACTION-343


Right now, the "Security Considerations" section of
contains a relatively short discussion of the issues around spoofing.


I'd like to replace most of that section with a summary and a pointer
to the Unicode Technical Report #36




which expands the discussion quite a bit.  I think a summary might be
the form:



There are serious difficulties with  relying on a human to verify that
a presentation of an IRI to them  (whether visually or read out loud)
is the same as another identifier or is the one intended. These
problems exist with ASCII-only URIs (bl00mberg.com vs. bloomberg.com)
but are enormously exacerbated when using  the larger character
repertoire of Unicode; these problems are elaborated in [UTR#36].
There seems to be little hope of relying on either administrative or
technical means to reduce the availability of such exploits, to the
extent that user agents SHOULD NOT relying on visual or perceptual
comparison or verification of IRIs as any means of validating or
assuring safety, correctness or appropriateness of an IRI.


[UTR#36] also identifies additional security considerations that are
applicable to IRIs.





Basically, I want to push the issue of Spoofing in IRIs to another










Received on Sunday, 28 February 2010 05:12:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:33 UTC