RE: Phishing and enforcing Confusables.txt

From: Shawn Steele (Shawn.Steele@microsoft.com)
Date: Mon Nov 29 2010 - 14:29:30 CST

Next message: Shawn Steele: "RE: Phishing and enforcing Confusables.txt"

Previous message: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
In reply to: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
Next in thread: Mahesh T. Pai: "Re: Phishing and enforcing Confusables.txt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

I don't know enough about these scripts. Maybe the site owner would want to register both forms themselves? I've also blogged about homographs some: http://blogs.msdn.com/b/shawnste/archive/2009/07/07/unicode-idn-idna-eai-ima-and-homograph-security.aspx

IMO homographs aren't really that exciting as a security vector. They can be confusable, and perhaps aid a little in a social attack, but it is trivial for an attacker to defeat any homograph detector or use some other slight social engineering trick to get users to visit. My pet peeve in this space is the number of legitimate businesses that redirect to a third party. (eg: toysrus.orderprocessing.com instead of orderprocessing.toysrus.com). So then you have no clue if the vendor is one you should be trusting or not from the URL. Not that "average" users can tell the difference anyway.

-Shawn

-----Original Message-----
From: unicode-bounce@unicode.org [mailto:unicode-bounce@unicode.org] On Behalf Of Shriramana Sharma
Sent: Monday, November 29, 2010 11:52 AM
To: unicode@unicode.org
Subject: Re: Phishing and enforcing Confusables.txt

On Mon, Nov 29, 2010 at 11:45 PM, Mahesh T. Pai <paivakil@gmail.com> wrote:
> Would identifying situations where rendering systems should not do
> glyph substitution / reordering, etc when faced with multiple scripts
> help in any way here?

It really is not necessary here. There is no question of rendering.
Only of encoded character streams.

If somebody has first registered [0C85 0CB0 0C97].com (Kannada ಅರಗ) then later [0C05 0C30 0C17].com (Telugu అరగ) should not be permitted to be registered, and vice versa.

So the rendering doesn't really matter here but it would matter in situations where glyph reordering occurs in Indic (or elsewhere). For example, if the glyph for Bengali E ে is confusable with something else, say Bengali ২ (just imagine that that's confusable) then

BENGALI LETTER XXX + BENGALI VOWEL SIGN E

should be confusable with

BENGALI DIGIT TWO + BENGALI LETTER XXX

and a simple mapping of BENGALI VOWEL SIGN E to BENGALI DIGIT TWO (or vice versa) would not be sufficient because the real confusion *in the mind of the user* occurs *after rendering* and when the characters are displayed on screen.

UTR36/39 don't seem to take this exactly into consideration.
http://unicode.org/reports/tr36/#TableCombiningMarkOrderSpoofing only talks about when two vowel signs are applied to the same consonant -- not when one confusable is a reordrant vowel sign and another is a non-reordering (usually consonant) character. Such cases are to be found in other Indic scripts as well.

BTW I should mention that the example ARAGA is not really a word in Kannada or Telugu AFAIK but just something I gave for its confusable nature.

Shriramana.

Next message: Shawn Steele: "RE: Phishing and enforcing Confusables.txt"
Previous message: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
In reply to: Shriramana Sharma: "Re: Phishing and enforcing Confusables.txt"
Next in thread: Mahesh T. Pai: "Re: Phishing and enforcing Confusables.txt"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.5 : Mon Nov 29 2010 - 14:31:26 CST