From: Arcane Jill (email@example.com)
Date: Fri Feb 11 2005 - 02:56:16 CST
Here's an idea.
Have the browser perform a SHA-256 hash of the UTF-8 representation of the
domain name. Use the bits of this hash to define a color pallette, and a small
image. Display the image using the generated color pallete. A faked domain name
will cause a different image (or possibly the same image but with different
colors) to be displayed. This alone won't completely eliminate spoofing, since
the user will have to "remember" which image goes with which legitimate domain,
but it's better than not being able to distinguish at all.
From: firstname.lastname@example.org [mailto:email@example.com]On
Behalf Of Werner LEMBERG
Sent: 11 February 2005 05:30
Cc: firstname.lastname@example.org; email@example.com
Subject: Re: IDN problem.... :(
> > >For that matter, I can construct a perfect "paypal" string using
> > >ONLY Cyrillic letters. Restrictions to one script doesn't prevent
> > >the homograph attack. It just requires one to be more clever.
Without knowing the IDN standard: Why not adding a character to the
IDN string which gives a checksum (MD5 or something similar) of the
string to be displayed? This character would stay unrendered, and it
makes it virtually impossible to fake an address with a different
This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 02:57:46 CST