|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: identical-glyph homographs
On Thu, 28 Jul 2005, Florian Weimer wrote:
> Let me repeat my other argument: Users don't use domain names in trust
> assessments. The smarter ones seem to recall how they got to a
> particular page. This is quite consistent with real-world behavior.
Uh, I beg to differ -- most of my family would see
h t t p : / / w w w . y a h <omicron> <omicron> . g r /
and think "the Yahoo site in Greece". After all, it renders as precisely
http://www.yahoo.gr/
on-screen, same character glyph, width, and all. This isn't a PR attack;
it's a real inverse-Turing-test type of attack. People do look at URLs
visually, and many can recognize the difference with simple homographs, but
most, I assure you, cannot.
> > (Hint: In each group of three lines, the strings of characters are NOT
> > identical, regardless of what your eyes may tell you.)
>
> They appear differently because even though they are from a single
> font, the characters have slightly different widths.
Actually, out of all the fonts and OSs I tried, including one I prefer not
to use or name but which many people do use, only the Cyrillic lowercase on
one font on one OS had different widths, for exactly one character -- all
others had identical widths.
So you probably have a lucky font -- and you're fortunately already
technically knowledgeable to know what a Unicode character is and how it's
different from plain ASCII. Most users are *NOT* so lucky, as much as you'd
hope for that.
> This wouldn't matter in the location field, of course.
How so? The movement is in the direction of rendering IDNs natively as
Unicode in the Location field, so this is exactly the same problem.
(Hm. I'm beginning to smell the T-word, but I'll wait and see how thick the
skull material is first.)
--
-- Todd Vierling <[email protected]> <[email protected]> <[email protected]>
|