[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] spoofing by combining diacritical marks
A display engine should differentiate between one acute and two acutes.
However, if it doesn't distinguish between 9 acutes and 10 acutes, the
likelyhood of that being used for spoofing is, shall we say, extremely
remote. Someone would have to have a legitimate URL with a singe character
having 9 acutes on it, for someone else to spoof it with 10.
BTW, the recommended fallback, when an accent cannot be properly stacked or
applied to the previous character, is to display it over a dotted circle
after the original base. There is information on this in chapter 5.
The newer versions of systems, using technology such as OpenType, do allow
the proper display of multiple accents.
Mark
—————
Γνῶθι σαυτόν — Θαλῆς
[http://www.macchiato.com]
----- Original Message -----
From: "Soobok Lee" <lsb@postel.co.kr>
To: "Mark Davis" <mark@macchiato.com>; <idn@ops.ietf.org>
Sent: Wednesday, August 29, 2001 20:24
Subject: Re: [idn] spoofing by combining diacritical marks
> You are right.
>
> The standard is specifying that double <Acute>s should be displayed with
> stacked <acute>s above the base character. But Win2K/98 doesn't display
> them correctly. If <acute> is repeated 10 times, that is beyond most
commercial
> rendering engine's capability and that can be utilized for spoofing
> ONly feasible solution to this problem is prohibiting them by
zone-masters,i believe.
>
>
> BTW, Unicode Standard Chap2. Section 2.6, Figure 2-10 has an example:
>
> <latin a><combining dot below><combining dot above>
> <latin a><combining dot above><combining dot below>
>
> These two sequences are defined to have the same look
> But, I can't find yet any _NORMALIZATION_ rules to unify them.
>
> Does unicode standards have any rules to unify them ?
>
> Soobok
>
>
>
> ----- Original Message -----
> From: "Mark Davis" <mark@macchiato.com>
> To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> Sent: Thursday, August 30, 2001 11:34 AM
> Subject: Re: [idn] spoofing by combining diacritical marks
>
>
> > The standard *does* specify the appropriate display behavior for such
> > circumstances. See http://www.unicode.org/unicode/uni2book/ch02.pdf,
Section
> > 2.6.
> >
> > However, some implementations may not yet implement that behavior.
> >
> > Mark
> >
> > —————
> >
> > Γνῶθι σαυτόν — Θαλῆς
> > [http://www.macchiato.com]
> > ----- Original Message -----
> > From: "Soobok Lee" <lsb@postel.co.kr>
> > To: "Soobok Lee" <lsb@postel.co.kr>; <idn@ops.ietf.org>
> > Sent: Wednesday, August 29, 2001 17:19
> > Subject: Re: [idn] spoofing by combining diacritical marks
> >
> >
> > > More self-comment:
> > >
> > > Current unicode standard have _no_ normalization rules on
> > > repeated <acute>s ( and other diacritical marks) to prevent them
from
> > > looking differently according to their positions in unicode
strings.
> > >
> > > The second <Acute> in the <acute><Acute> does not display in some
> > > cases.
> > >
> > > This problem is somewhat out of IDN WG scope and should be reviewed
> > > by relevant standard organizations.
> > >
> > > Zone masters should be aware of this and filter out spoofing
domains..
> > >
> > > Soobok Lee
> > >
> > >
> > > ----- Original Message -----
> > > From: "Soobok Lee" <lsb@postel.co.kr>
> > > To: <idn@ops.ietf.org>
> > > Sent: Wednesday, August 29, 2001 9:15 AM
> > > Subject: [idn] spoofing by combining diacritical marks
> > >
> > >
> > > > Hi,
> > > > To exemplify what JCK pointed out,
> > > > I took two experiments with two labels with <acute>.
> > > > Look into the enclosed excerpts.
> > > >
> > > > The second one has <acute><acute>,but look the same with
> > single-<acute> one.
> > > >
> > > > Does this problem come from the rendering engine (of win2k)
> > > > or from the definition of <acute> itself ?
> > > >
> > > > Soobok Lee
> > >
> >
> --------------------------------------------------------------------------
> > -------------------------------------
> > > >
> > > > www.k%u0301ol.com
> > > >
> > > > www.ḱol.com
> > > >
> > > >
> > > >
> > > > www.k%u0301%u0301ol.com
> > > >
> > > >
> > > > www.ḱ́ol.com
> > > >
> > > >
> > > >
> > > > <html>
> > > > <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> > > > <body>
> > > > <Script>
> > > > str=("www.k%u0301ol.com");
> > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > document.writeln(str);
> > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > document.writeln(unescape(str)); document.write("</font><br><p>");
> > > > </script>
> > > > <Script>
> > > > str=("www.k%u0301%u0301ol.com");
> > > > document.write("<br><font size=+1 face='Times New Roman'>");
> > > > document.writeln(str);
> > > > document.write("<br><p><font size=+3 face='Times New Roman'>");
> > > > document.writeln(unescape(str)); document.write("</font><br><p>");
> > > > </script>
> > > >
> > > > http://www.postel.co.kr/etc/f2.html
> > > >
> > > >
> > >
> > >
> > >
> >
> >
>
>