[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [idn] spoofing by combining diacritical marks

To: "Soobok Lee" <lsb@postel.co.kr>,"Mark Davis" <mark@macchiato.com>, <idn@ops.ietf.org>
Subject: Re: [idn] spoofing by combining diacritical marks
From: "James Seng/Personal" <James@Seng.cc>
Date: Thu, 30 Aug 2001 13:14:49 +0800

What I am hearing is you are asking *standard* to avoid a problem
created by a *broken* implementation. This is too far fetched for me to
understand.

The right thing to do, engineering speaking, is to fix the broken
implementation.

-James Seng

----- Original Message -----
From: "Soobok Lee" <lsb@postel.co.kr>
To: "Mark Davis" <mark@macchiato.com>; <idn@ops.ietf.org>
Sent: Thursday, August 30, 2001 11:24 AM
Subject: Re: [idn] spoofing by combining diacritical marks


> You are right.
>
> The standard is specifying that double <Acute>s should be displayed
with
> stacked <acute>s  above the base character. But Win2K/98 doesn't
display
> them correctly. If <acute> is repeated 10 times, that is beyond most
commercial
> rendering engine's capability and that can be utilized for spoofing
> ONly feasible solution to this problem is  prohibiting them by
zone-masters,i believe.
>
>
> BTW, Unicode Standard Chap2. Section 2.6, Figure 2-10 has an example:
>
>   <latin a><combining dot below><combining dot above>
>   <latin a><combining dot above><combining dot below>
>
>  These two sequences are defined to have the same look
>  But, I can't find yet any _NORMALIZATION_ rules to unify them.
>
>  Does unicode standards have any rules to unify them  ?
>
>  Soobok
>
>
>
> ----- Original Message -----
> From: "Mark Davis" <mark@macchiato.com>
> To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> Sent: Thursday, August 30, 2001 11:34 AM
> Subject: Re: [idn] spoofing by combining diacritical marks
>
>
> > The standard *does* specify the appropriate display behavior for
such
> > circumstances. See http://www.unicode.org/unicode/uni2book/ch02.pdf,
Section
> > 2.6.
> >
> > However, some implementations may not yet implement that behavior.
> >
> > Mark
> >
> > —————
> >
> > Γνῶθι σαυτόν — Θαλῆς
> > [http://www.macchiato.com]
> > ----- Original Message -----
> > From: "Soobok Lee" <lsb@postel.co.kr>
> > To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> > Sent: Wednesday, August 29, 2001 17:19
> > Subject: Re: [idn] spoofing by combining diacritical marks
> >
> >
> > > More self-comment:
> > >
> > >   Current unicode standard have _no_  normalization rules on
> > >     repeated <acute>s ( and other diacritical marks)  to prevent
them from
> > >     looking differently according to their positions in unicode
strings.
> > >
> > >   The second <Acute> in the <acute><Acute> does not display in
some
> > >   cases.
> > >
> > >   This problem is somewhat out of IDN WG scope and should be
reviewed
> > >   by relevant  standard organizations.
> > >
> > >   Zone masters should be aware of this and filter out  spoofing
domains..
> > >
> > >  Soobok Lee
> > >
> > >
> > > ----- Original Message -----
> > > From: "Soobok Lee" <lsb@postel.co.kr>
> > > To: <idn@ops.ietf.org>
> > > Sent: Wednesday, August 29, 2001 9:15 AM
> > > Subject: [idn] spoofing by combining diacritical marks
> > >
> > >
> > > > Hi,
> > > > To exemplify what JCK pointed out,
> > > > I took two experiments with two labels with <acute>.
> > > > Look into the enclosed excerpts.
> > > >
> > > > The second  one  has   <acute><acute>,but look the same with
> > single-<acute> one.
> > > >
> > > > Does this problem come from the rendering engine (of win2k)
> > > > or from the definition of <acute> itself ?
> > > >
> > > > Soobok Lee
> > >
> >
> ----------------------------------------------------------------------
----
> > -------------------------------------
> > > >
> > > > www.k%u0301ol.com
> > > >
> > > > www.ḱol.com
> > > >
> > > >
> > > >
> > > > www.k%u0301%u0301ol.com
> > > >
> > > >
> > > > www.ḱ́ol.com
> > > >
> > > >
> > > >
> > > > <html>
> > > > <meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
> > > > <body>
> > > > <Script>
> > > > str=("www.k%u0301ol.com");
> > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > document.writeln(str);
> > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > document.writeln(unescape(str));
document.write("</font><br><p>");
> > > > </script>
> > > > <Script>
> > > > str=("www.k%u0301%u0301ol.com");
> > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > document.writeln(str);
> > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > document.writeln(unescape(str));
document.write("</font><br><p>");
> > > > </script>
> > > >
> > > > http://www.postel.co.kr/etc/f2.html
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>

Prev by Date: Re: [idn] spoofing by combining diacritical marks
Next by Date: Re: [idn] spoofing by combining diacritical marks
Prev by thread: Re: [idn] spoofing by combining diacritical marks
Next by thread: Re: [idn] spoofing by combining diacritical marks
Index(es):
- Date
- Thread