From: Shawn Steele (Shawn.Steele@microsoft.com)
Date: Mon Nov 29 2010 - 14:29:30 CST
I don't know enough about these scripts. Maybe the site owner would want to register both forms themselves? I've also blogged about homographs some: http://blogs.msdn.com/b/shawnste/archive/2009/07/07/unicode-idn-idna-eai-ima-and-homograph-security.aspx
IMO homographs aren't really that exciting as a security vector. They can be confusable, and perhaps aid a little in a social attack, but it is trivial for an attacker to defeat any homograph detector or use some other slight social engineering trick to get users to visit. My pet peeve in this space is the number of legitimate businesses that redirect to a third party. (eg: toysrus.orderprocessing.com instead of orderprocessing.toysrus.com). So then you have no clue if the vendor is one you should be trusting or not from the URL. Not that "average" users can tell the difference anyway.
From: email@example.com [mailto:firstname.lastname@example.org] On Behalf Of Shriramana Sharma
Sent: Monday, November 29, 2010 11:52 AM
Subject: Re: Phishing and enforcing Confusables.txt
On Mon, Nov 29, 2010 at 11:45 PM, Mahesh T. Pai <email@example.com> wrote:
> Would identifying situations where rendering systems should not do
> glyph substitution / reordering, etc when faced with multiple scripts
> help in any way here?
It really is not necessary here. There is no question of rendering.
Only of encoded character streams.
If somebody has first registered [0C85 0CB0 0C97].com (Kannada ಅರಗ) then later [0C05 0C30 0C17].com (Telugu అరగ) should not be permitted to be registered, and vice versa.
So the rendering doesn't really matter here but it would matter in situations where glyph reordering occurs in Indic (or elsewhere). For example, if the glyph for Bengali E ে is confusable with something else, say Bengali ২ (just imagine that that's confusable) then
BENGALI LETTER XXX + BENGALI VOWEL SIGN E
should be confusable with
BENGALI DIGIT TWO + BENGALI LETTER XXX
and a simple mapping of BENGALI VOWEL SIGN E to BENGALI DIGIT TWO (or vice versa) would not be sufficient because the real confusion *in the mind of the user* occurs *after rendering* and when the characters are displayed on screen.
UTR36/39 don't seem to take this exactly into consideration.
http://unicode.org/reports/tr36/#TableCombiningMarkOrderSpoofing only talks about when two vowel signs are applied to the same consonant -- not when one confusable is a reordrant vowel sign and another is a non-reordering (usually consonant) character. Such cases are to be found in other Indic scripts as well.
BTW I should mention that the example ARAGA is not really a word in Kannada or Telugu AFAIK but just something I gave for its confusable nature.
This archive was generated by hypermail 2.1.5 : Mon Nov 29 2010 - 14:31:26 CST