Data on confusables

Mark Davis ⌛ mark at macchiato.com
Thu Jul 30 17:06:10 CEST 2009


Mark


On Thu, Jul 30, 2009 at 03:24, Gervase Markham <gerv at mozilla.org> wrote:

> On 30/07/09 00:13, Mark Davis ⌛ wrote:
>
>> I don't think that IDNA2008 will change much regarding spoofing. Some
>> registries may be bound by the terms of IDNA2008, but most will not be.
>> They could chose to abide by it strictly, or they could allow characters
>> like HEART if they are in demand, or for compatibility with IDNA2003.
>>
>
> They could, but if none of the browsers render it, I suspect they won't.


Well, it does come down to what the browsers decide to do.


>
>
>  Conversely, the client side can't depend on the registries' all doing
>> "the right thing", and will need to supply their own tests for spoofing;
>> and for them as well, excluding symbols or checking for CONTEXTO
>> accomplishes almost nothing as far as detecting spoofs.
>>
>
> I find that an odd conclusion. Banning dot-like, slash-like and hyphen-like
> punctuation seems to me like it would make a big difference in terms of
> restricting what spoofing is possible.


It only takes one dot-like character to allow for a spoof of a dot. If you
forbid 17 dot-likes but allow 3, it doesn't really prevent spoofing. And if
you don't test for spoofs of 'a', 'b', etc, even checking for dot-spoofing
doesn't do a lot of good. What I'm saying is that the restrictions put in
place in IDNA2008 may look nice, but they are like a band-aid on a sieve: it
still won't hold water. You need, say, a sheet of saran wrap inside the
sieve -- and once you have the saran wrap, you don't need the band-aid.


>
> Gerv
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.alvestrand.no/pipermail/idna-update/attachments/20090730/fb92b995/attachment.htm 


More information about the Idna-update mailing list