IETF Logo Mail Archive

Re: [idn] nameprep2 and the slash homograph issue

Gervase Markham <gerv@mozilla.org> Tue, 01 March 2005 23:57 UTC

Received: from psg.com (mailnull@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA25556 for <idn-archive@lists.ietf.org>; Tue, 1 Mar 2005 18:57:44 -0500 (EST)
Received: from majordom by psg.com with local (Exim 4.44 (FreeBSD)) id 1D6H8O-000E4e-28 for idn-data@psg.com; Tue, 01 Mar 2005 23:50:36 +0000
Received: from [193.201.200.34] (helo=tuschin.blackcatnetworks.co.uk) by psg.com with esmtp (Exim 4.44 (FreeBSD)) id 1D6H8M-000E4L-RC for idn@ops.ietf.org; Tue, 01 Mar 2005 23:50:34 +0000
Received: from grmarkham.plus.com ([80.229.30.161] helo=[192.168.1.100]) by tuschin.blackcatnetworks.co.uk with asmtp (Exim 3.35 #1 (Debian)) id 1D6H8M-0002qc-00 for <idn@ops.ietf.org>; Tue, 01 Mar 2005 23:50:34 +0000
Message-ID: <4225A87B.7030204@mozilla.org>
Date: Wed, 02 Mar 2005 11:50:19 +0000
From: Gervase Markham <gerv@mozilla.org>
Organization: mozilla.org
User-Agent: Mozilla Thunderbird 1.0 (X11/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: idn@ops.ietf.org
Subject: Re: [idn] nameprep2 and the slash homograph issue
References: <421B8484.3070802@vanderpoel.org> <20050223072837.GA21463~@nicemice.net> <D872CCF059514053ECF8A198@scan.jck.com> <20050223105244.GE21463~@nicemice.net> <421CA114.9090302@vanderpoel.org> <20050224081721.GB12336~@nicemice.net> <421DEDFF.2000300@vanderpoel.org>
In-Reply-To: <421DEDFF.2000300@vanderpoel.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on psg.com
X-Spam-Status: No, score=-1.6 required=5.0 tests=AWL,BAYES_00, DATE_IN_FUTURE_06_12,WHY_WAIT autolearn=no version=3.0.1
Sender: owner-idn@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

Erik van der Poel wrote:
> Here I agree with you. I'm not going to try to come up with the wording 
> for that, but this morning I started to think that the right-to-left DNS 
> and IDN spoofing problems *could* be addressed at the UI level by 
> providing a *tool* that security-conscious users could *choose* to use.

While security-conscious users are always less at risk than ordinary 
users, thinking in terms of a tool is IMO wrong.

> I'm thinking of a tool that might be implemented as an extension for 
> Mozilla, for example. It would offer to display domain names in the safe 
> order, i.e. left-to-right for users whose main language is 
> left-to-right. I have not heard of any UIs that offer top-to-bottom in 
> their menus, dialogs, etc, so I would guess that this would be omitted 
> in the extension too, though right-to-left might be offered for 
> right-to-left users (many of which are in the Middle East -- Hebrew and 
> Arabic).

The problem this is supposed to mitigate is mitigated in Firefox by the 
domain-only indicator in the status bar.

> In addition, such a tool would offer to display domain names in a clear 
> font, unlike the sans-serif that is commonly used today. This would make 
> the distinction between lowercase l and digit 1 clearer. And it would 
> separate the domain name from its context, e.g. using color.

Assuming we could determine such a font, why would we not always use it? 
Why wait for a tool to be deployed?

Gerv

v2.23.0 | Report a Bug | By Email