Re: [idn] IDN spoofing

From: Peter Kirk (
Date: Mon Feb 21 2005 - 05:10:02 CST

  • Next message: Peter Kirk: "Re: orthographies"

    On 20/02/2005 01:37, Erik van der Poel wrote:

    > ...
    >> All that this shows is that there is no easy answer to the spoofing
    >> problem. At least, a simplistic ban on mixed scripts doesn't work. A
    >> confusables mapping might provide a solution, but I have seen no good
    >> suggestions on how this might be presented to an end user.
    > I have high hopes for Neil Harris' algorithm, involving looking for
    > strings that consist entirely of homographs, within a context where
    > those would not be expected. The feedback to the user could be to
    > simply leave those domain names in Punycode form. Hopefully, the user
    > will look at the domain name before typing in a credit card number.
    A good algorithm would certainly help. But presenting Punycode versions
    to the user would not. In fact it would be counter-productive in a
    Cyrillic environment, because an all-ASCII spoof (e.g. of a
    genuine cyrillic name would appear unchanged in Punycode and so look
    like the real thing, whereas the real thing would become unreadable

    Peter Kirk (personal) (work)
    No virus found in this outgoing message.
    Checked by AVG Anti-Virus.
    Version: 7.0.300 / Virus Database: 266.2.0 - Release Date: 21/02/2005

    This archive was generated by hypermail 2.1.5 : Mon Feb 21 2005 - 05:11:35 CST