Re: IDN problem.... :(

From: Arcane Jill (
Date: Fri Feb 11 2005 - 02:56:16 CST

  • Next message: Michael Everson: "RE: IDN problem.... :("

    Here's an idea.

    Have the browser perform a SHA-256 hash of the UTF-8 representation of the
    domain name. Use the bits of this hash to define a color pallette, and a small
    image. Display the image using the generated color pallete. A faked domain name
    will cause a different image (or possibly the same image but with different
    colors) to be displayed. This alone won't completely eliminate spoofing, since
    the user will have to "remember" which image goes with which legitimate domain,
    but it's better than not being able to distinguish at all.


    -----Original Message-----
    From: []On
    Behalf Of Werner LEMBERG
    Sent: 11 February 2005 05:30
    Subject: Re: IDN problem.... :(

    > > >For that matter, I can construct a perfect "paypal" string using
    > > >ONLY Cyrillic letters. Restrictions to one script doesn't prevent
    > > >the homograph attack. It just requires one to be more clever.

    Without knowing the IDN standard: Why not adding a character to the
    IDN string which gives a checksum (MD5 or something similar) of the
    string to be displayed? This character would stay unrendered, and it
    makes it virtually impossible to fake an address with a different


    This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 02:57:46 CST