IDNA and U+08A1 and related cases (was: Re: Barry Leiba's Discuss on draft-ietf-json-i-json-05: (with DISCUSS and COMMENT))
Shawn.Steele at microsoft.com
Tue Jan 27 18:57:06 CET 2015
Ø That is, I don't think a distinction between "accident" and "intent" is useful when it comes to confusability. Based on spoofing and spamming data I've seen at Google, the characters don't even have to be identical 90% of the time. At body text sizes, the human eye sees what it expects: many dissimilarities are glossed over, like between r + n and m, or even much more different ones.
Has anyone looked at confusability of Chinese characters? My expectation would be that many clearly different things would be easily mistaken because of a slight difference in a stroke and the context and font size. Eg: If I’m expecting “Microsoft” in an email or something, then rnicrosoft.com might trick me (not in this font apparently). I would expect that Chinese has lots of characters that are confusable. Worse, I’d expect that some are probably only confusable in certain contexts.
Ø I wish that the people who get all fired up about U+08A1 would talk to security experts to find out what sorts of characters—in practice—do represent confusability issues: U+08A1 and related characters would not even be on the radar screen.
Ø As you say, those kinds of issues are … simply infeasible to do more than nibble at the edges with the low-level protocol. It just gives people a false sense that they are solving the problem.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Idna-update