Stefan Teleman wrote: > On Friday 16 March 2007 11:53, Alan Coopersmith wrote: > >> (Short summary: there are multiple Unicode >> characters that appear very similarly to base ASCII characters - >> close enough that users may not notice that when they clicked on >> the URL in their e-mail to what looks like their bank's web site, >> it was really a IDN-encoded URL using said Unicode characters to >> appear like their bank's website when it's not.) > > But this is not an IDN-specific problem. Email spam often formats HTML > to trick recipients into clicking to "update their bank account" > with some minimal HTML formatting, and without IDN. One can't prevent > users from clicking, and removing IDN won't prevent HTML formatting > either: > > <A HREF="http://www.nytimes.com/";><FONT > COLOR="#0000ff">www.chase.com/onlinebanking/accounts/login.php</FONT></A> > > The only reliable prevention to this problem is "Hover the URL before > your click".
The IDN specific problem is that it breaks your solution of hovering the URL, since the URL can appear to the naked eye to be correct, when it is using alternate characters instead. For instance, the Unicode character 0430 (Cyrillic Small Letter A) looks very much like "a" in most fonts, so a human may not notice they're going to bof&#U0430.com instead of bofa.com if the strings are presented in native-language format. The original advisory on this is at http://www.shmoo.com/idn/homograph.txt (You won't see the problem in their examples in modern browsers because they dropped IDN support, so you see the ASCII coded URL instead.) Really, this isn't a problem for this case, but for any application which uses this library to show DNS names in a way in which users are supposed to verify the name is correct, such as webbrowsers. -- -Alan Coopersmith- alan.coopersmith at sun.com Sun Microsystems, Inc. - X Window System Engineering
