[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] nameprep2 and the slash homograph issue

To: Gervase Markham <gerv@mozilla.org>
Subject: Re: [idn] nameprep2 and the slash homograph issue
From: Erik van der Poel <erik@vanderpoel.org>
Date: Tue, 01 Mar 2005 17:05:29 -0800
Cc: idn@ops.ietf.org
In-reply-to: <4225A87B.7030204@mozilla.org>
References: <421B8484.3070802@vanderpoel.org> <20050223072837.GA21463~@nicemice.net> <D872CCF059514053ECF8A198@scan.jck.com> <20050223105244.GE21463~@nicemice.net> <421CA114.9090302@vanderpoel.org> <20050224081721.GB12336~@nicemice.net> <421DEDFF.2000300@vanderpoel.org> <4225A87B.7030204@mozilla.org>
User-agent: Mozilla Thunderbird 1.0 (X11/20041206)

Gervase Markham wrote:

While security-conscious users are always less at risk than ordinary users, thinking in terms of a tool is IMO wrong.

Perhaps I was wrong to use the word "tool". There is a fundamental tension between security and user-friendliness. Some applications and vendors have a history of making their user interfaces *too* friendly, thereby neglecting to warn users of potential security risks. Other vendors have tried hard to strike a balance between security and seamlessness. I believe Netscape and Mozilla have been in this camp since Day One.

I hope that mozilla.org will deploy a better solution than the TLD and domain black/whitelists that have been discussed.

It would offer to display domain names in the safe order, i.e. left-to-right for users whose main language is left-to-right.
The problem this is supposed to mitigate is mitigated in Firefox by the domain-only indicator in the status bar.

I just double-checked Firefox 1.0.1, and it just says "Done" at the lower left. Then I tried a secure (https) site, and, lo and behold, I saw the "domain-only" indicator at the lower right, next to the padlock icon. This is very good news (to me). And thank you for educating this particular user (me) about this security issue. As I have often said, education is key.

A couple of questions/comments: It might be nice to have this domain-only display even for non-secure sites (http). Also, do you know what happens if the domain name is very long? Finally, do you have any thoughts about the slash homograph problem? Thanks.

In addition, such a tool would offer to display domain names in a clear font, unlike the sans-serif that is commonly used today. This would make the distinction between lowercase l and digit 1 clearer.
Assuming we could determine such a font, why would we not always use it? Why wait for a tool to be deployed?


Indeed, why wait? I filed a bug a while ago:

https://bugzilla.mozilla.org/show_bug.cgi?id=282079

My feeling is that a sans-serif font (such as Arial) places the characters too close to each other and does not have the serifs that often serve to distinguish the characters better. How about a fixed width font with serifs, such as Courier New?

Erik

Follow-Ups:
- Re: [idn] nameprep2 and the slash homograph issue
  - From: Gervase Markham <gerv@mozilla.org>

References:
- [idn] nameprep2 and the slash homograph issue
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: John C Klensin <klensin@jck.com>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: "Adam M. Costello" <idn.amc+0@nicemice.net.RemoveThisWord>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: Erik van der Poel <erik@vanderpoel.org>
- Re: [idn] nameprep2 and the slash homograph issue
  - From: Gervase Markham <gerv@mozilla.org>

Prev by Date: Re: [idn] Re: character tables
Next by Date: Re: [idn] Re: character tables
Previous by thread: Re: [idn] nameprep2 and the slash homograph issue
Next by thread: Re: [idn] nameprep2 and the slash homograph issue
Index(es):
- Date
- Thread