[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] spoofing by combining diacritical marks
Yes, if it is wrong, MS should fix it. But I guess MS and other implementors would
like to make a threshold on the max length
of a sequence of combining marks for single base character. that is, there may be
some ignored marks in rendering time and that breaks the "unique look" constraint.
Anyway, now, most people are using Win2k/9x . aren't they?
Until MS finishes fixing the rendering engine and most people use the patched one,
allowing <acute><acute> in IDN label should be postponed for security reasons.
"Postpone" cannot be put into nameprep, mechanical filtering. clear.
"Guidelines for zone-masters", optional human filtering in registration phase,
is the only feasible choice in this case.
That was my point not clearly described in my previous email.
Soobok
----- Original Message -----
From: "James Seng/Personal" <James@Seng.cc>
To: "Soobok Lee" <lsb@postel.co.kr>; "Mark Davis" <mark@macchiato.com>; <idn@ops.ietf.org>
Sent: Thursday, August 30, 2001 2:14 PM
Subject: Re: [idn] spoofing by combining diacritical marks
> What I am hearing is you are asking *standard* to avoid a problem
> created by a *broken* implementation. This is too far fetched for me to
> understand.
>
> The right thing to do, engineering speaking, is to fix the broken
> implementation.
>
> -James Seng
>
> ----- Original Message -----
> From: "Soobok Lee" <lsb@postel.co.kr>
> To: "Mark Davis" <mark@macchiato.com>; <idn@ops.ietf.org>
> Sent: Thursday, August 30, 2001 11:24 AM
> Subject: Re: [idn] spoofing by combining diacritical marks
>
>
> > You are right.
> >
> > The standard is specifying that double <Acute>s should be displayed
> with
> > stacked <acute>s above the base character. But Win2K/98 doesn't
> display
> > them correctly. If <acute> is repeated 10 times, that is beyond most
> commercial
> > rendering engine's capability and that can be utilized for spoofing
> > ONly feasible solution to this problem is prohibiting them by
> zone-masters,i believe.
> >
> >
> > BTW, Unicode Standard Chap2. Section 2.6, Figure 2-10 has an example:
> >
> > <latin a><combining dot below><combining dot above>
> > <latin a><combining dot above><combining dot below>
> >
> > These two sequences are defined to have the same look
> > But, I can't find yet any _NORMALIZATION_ rules to unify them.
> >
> > Does unicode standards have any rules to unify them ?
> >
> > Soobok
> >
> >
> >
> > ----- Original Message -----
> > From: "Mark Davis" <mark@macchiato.com>
> > To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> > Sent: Thursday, August 30, 2001 11:34 AM
> > Subject: Re: [idn] spoofing by combining diacritical marks
> >
> >
> > > The standard *does* specify the appropriate display behavior for
> such
> > > circumstances. See http://www.unicode.org/unicode/uni2book/ch02.pdf,
> Section
> > > 2.6.
> > >
> > > However, some implementations may not yet implement that behavior.
> > >
> > > Mark
> > >
> > > —————
> > >
> > > Γνῶθι σαυτόν — Θαλῆς
> > > [http://www.macchiato.com]
> > > ----- Original Message -----
> > > From: "Soobok Lee" <lsb@postel.co.kr>
> > > To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> > > Sent: Wednesday, August 29, 2001 17:19
> > > Subject: Re: [idn] spoofing by combining diacritical marks
> > >
> > >
> > > > More self-comment:
> > > >
> > > > Current unicode standard have _no_ normalization rules on
> > > > repeated <acute>s ( and other diacritical marks) to prevent
> them from
> > > > looking differently according to their positions in unicode
> strings.
> > > >
> > > > The second <Acute> in the <acute><Acute> does not display in
> some
> > > > cases.
> > > >
> > > > This problem is somewhat out of IDN WG scope and should be
> reviewed
> > > > by relevant standard organizations.
> > > >
> > > > Zone masters should be aware of this and filter out spoofing
> domains..
> > > >
> > > > Soobok Lee
> > > >
> > > >
> > > > ----- Original Message -----
> > > > From: "Soobok Lee" <lsb@postel.co.kr>
> > > > To: <idn@ops.ietf.org>
> > > > Sent: Wednesday, August 29, 2001 9:15 AM
> > > > Subject: [idn] spoofing by combining diacritical marks
> > > >
> > > >
> > > > > Hi,
> > > > > To exemplify what JCK pointed out,
> > > > > I took two experiments with two labels with <acute>.
> > > > > Look into the enclosed excerpts.
> > > > >
> > > > > The second one has <acute><acute>,but look the same with
> > > single-<acute> one.
> > > > >
> > > > > Does this problem come from the rendering engine (of win2k)
> > > > > or from the definition of <acute> itself ?
> > > > >
> > > > > Soobok Lee
> > > >
> > >
> > ----------------------------------------------------------------------
> ----
> > > -------------------------------------
> > > > >
> > > > > www.k%u0301ol.com
> > > > >
> > > > > www.ḱol.com
> > > > >
> > > > >
> > > > >
> > > > > www.k%u0301%u0301ol.com
> > > > >
> > > > >
> > > > > www.ḱ́ol.com
> > > > >
> > > > >
> > > > >
> > > > > <html>
> > > > > <meta http-equiv="Content-Type" content="text/html;
> charset=utf-8">
> > > > > <body>
> > > > > <Script>
> > > > > str=("www.k%u0301ol.com");
> > > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > > document.writeln(str);
> > > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > > document.writeln(unescape(str));
> document.write("</font><br><p>");
> > > > > </script>
> > > > > <Script>
> > > > > str=("www.k%u0301%u0301ol.com");
> > > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > > document.writeln(str);
> > > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > > document.writeln(unescape(str));
> document.write("</font><br><p>");
> > > > > </script>
> > > > >
> > > > > http://www.postel.co.kr/etc/f2.html
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>