* Joey Hess: > Florian Weimer wrote: >> People are filing security bugs because of the homograph issue. But >> is this a real security problem? Do you think we should change our >> fonts so that 1, l and I (and O and 0, of course) are more different >> visually? > > That misses part of the point of the homograph issue, which is that > besides characters that look confusingly alike, unicode contains > charaters that are *identical*, except for being in a different code > pages. See http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf
I've written about these issues four years ago. I still don't think they are a security problem, given the way DNS TLDs and the browser CAs operate. There are fonts in which "l" and "I" are *identical* (Gill Sans is an example, IIRC). > FWIW, I've filed the bugs I did on this issue at normal priority, > because it was not at all clear to me that the bug meets the criteria > for being release critical, since the actual bug is in the basic design > of unicode domain names, in the lacking procedures of the CAs and > registrars who do not check for homograph issues, and in the overall > design of so-called ecommerce "security". Any fixes in the packages can > at best only be heuristics and workarounds, and will likely just lead to > an escalating arms race if this problem is worth exploiting. Oh, in this case, our opinions on this matter aren't too different after all. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]