nanog mailing list archives
Re: identical-glyph homographs
From: Todd Vierling <tv () duh org>
Date: Thu, 28 Jul 2005 17:49:49 -0400 (Eastern Daylight Time)
On Thu, 28 Jul 2005, Florian Weimer wrote:
Let me repeat my other argument: Users don't use domain names in trust assessments. The smarter ones seem to recall how they got to a particular page. This is quite consistent with real-world behavior.
Uh, I beg to differ -- most of my family would see h t t p : / / w w w . y a h <omicron> <omicron> . g r / and think "the Yahoo site in Greece". After all, it renders as precisely http://www.yahoo.gr/ on-screen, same character glyph, width, and all. This isn't a PR attack; it's a real inverse-Turing-test type of attack. People do look at URLs visually, and many can recognize the difference with simple homographs, but most, I assure you, cannot.
(Hint: In each group of three lines, the strings of characters are NOT identical, regardless of what your eyes may tell you.)They appear differently because even though they are from a single font, the characters have slightly different widths.
Actually, out of all the fonts and OSs I tried, including one I prefer not to use or name but which many people do use, only the Cyrillic lowercase on one font on one OS had different widths, for exactly one character -- all others had identical widths. So you probably have a lucky font -- and you're fortunately already technically knowledgeable to know what a Unicode character is and how it's different from plain ASCII. Most users are *NOT* so lucky, as much as you'd hope for that.
This wouldn't matter in the location field, of course.
How so? The movement is in the direction of rendering IDNs natively as Unicode in the Location field, so this is exactly the same problem. (Hm. I'm beginning to smell the T-word, but I'll wait and see how thick the skull material is first.) -- -- Todd Vierling <tv () duh org> <tv () pobox com> <todd () vierling name>
Current thread:
- RE: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Jason Sloderbeck (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Florian Weimer (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Neil Harris (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Florian Weimer (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homographs Spoofing John Levine (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homographs Spoofing Neil Harris (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Neil Harris (Jul 28)
- identical-glyph homographs (was Re: Mozilla Implements TLD Whitelist...) Todd Vierling (Jul 28)
- Re: identical-glyph homographs Florian Weimer (Jul 28)
- Re: identical-glyph homographs Todd Vierling (Jul 28)
- Re: Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homogr aphs Spoofing Florian Weimer (Jul 28)