On Friday 16 March 2007 11:53, Alan Coopersmith wrote: > (Short summary: there are multiple Unicode > characters that appear very similarly to base ASCII characters - > close enough that users may not notice that when they clicked on > the URL in their e-mail to what looks like their bank's web site, > it was really a IDN-encoded URL using said Unicode characters to > appear like their bank's website when it's not.)
But this is not an IDN-specific problem. Email spam often formats HTML to trick recipients into clicking to "update their bank account" with some minimal HTML formatting, and without IDN. One can't prevent users from clicking, and removing IDN won't prevent HTML formatting either: <A HREF="http://www.nytimes.com/";><FONT COLOR="#0000ff">www.chase.com/onlinebanking/accounts/login.php</FONT></A> The only reliable prevention to this problem is "Hover the URL before your click". --Stefan -- Stefan Teleman 'Nobody Expects the Spanish Inquisition' KDE e.V. -Monty Python stefan.teleman at gmail.com
