[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] spoofing by combining diacritical marks
You are right.
The standard is specifying that double <Acute>s should be displayed with
stacked <acute>s above the base character. But Win2K/98 doesn't display
them correctly. If <acute> is repeated 10 times, that is beyond most commercial
rendering engine's capability and that can be utilized for spoofing
ONly feasible solution to this problem is prohibiting them by zone-masters,i believe.
BTW, Unicode Standard Chap2. Section 2.6, Figure 2-10 has an example:
<latin a><combining dot below><combining dot above>
<latin a><combining dot above><combining dot below>
These two sequences are defined to have the same look
But, I can't find yet any _NORMALIZATION_ rules to unify them.
Does unicode standards have any rules to unify them ?
Soobok
----- Original Message -----
From: "Mark Davis" <mark@macchiato.com>
To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
Sent: Thursday, August 30, 2001 11:34 AM
Subject: Re: [idn] spoofing by combining diacritical marks
> The standard *does* specify the appropriate display behavior for such
> circumstances. See http://www.unicode.org/unicode/uni2book/ch02.pdf, Section
> 2.6.
>
> However, some implementations may not yet implement that behavior.
>
> Mark
>
> —————
>
> Γνῶθι σαυτόν — Θαλῆς
> [http://www.macchiato.com]
> ----- Original Message -----
> From: "Soobok Lee" <lsb@postel.co.kr>
> To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> Sent: Wednesday, August 29, 2001 17:19
> Subject: Re: [idn] spoofing by combining diacritical marks
>
>
> > More self-comment:
> >
> > Current unicode standard have _no_ normalization rules on
> > repeated <acute>s ( and other diacritical marks) to prevent them from
> > looking differently according to their positions in unicode strings.
> >
> > The second <Acute> in the <acute><Acute> does not display in some
> > cases.
> >
> > This problem is somewhat out of IDN WG scope and should be reviewed
> > by relevant standard organizations.
> >
> > Zone masters should be aware of this and filter out spoofing domains..
> >
> > Soobok Lee
> >
> >
> > ----- Original Message -----
> > From: "Soobok Lee" <lsb@postel.co.kr>
> > To: <idn@ops.ietf.org>
> > Sent: Wednesday, August 29, 2001 9:15 AM
> > Subject: [idn] spoofing by combining diacritical marks
> >
> >
> > > Hi,
> > > To exemplify what JCK pointed out,
> > > I took two experiments with two labels with <acute>.
> > > Look into the enclosed excerpts.
> > >
> > > The second one has <acute><acute>,but look the same with
> single-<acute> one.
> > >
> > > Does this problem come from the rendering engine (of win2k)
> > > or from the definition of <acute> itself ?
> > >
> > > Soobok Lee
> >
> > --------------------------------------------------------------------------
> -------------------------------------
> > >
> > > www.k%u0301ol.com
> > >
> > > www.ḱol.com
> > >
> > >
> > >
> > > www.k%u0301%u0301ol.com
> > >
> > >
> > > www.ḱ́ol.com
> > >
> > >
> > >
> > > <html>
> > > <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> > > <body>
> > > <Script>
> > > str=("www.k%u0301ol.com");
> > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > document.writeln(str);
> > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > document.writeln(unescape(str)); document.write("</font><br><p>");
> > > </script>
> > > <Script>
> > > str=("www.k%u0301%u0301ol.com");
> > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > document.writeln(str);
> > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > document.writeln(unescape(str)); document.write("</font><br><p>");
> > > </script>
> > >
> > > http://www.postel.co.kr/etc/f2.html
> > >
> > >
> >
> >
> >
>
>