[Cryptography] Typesetting vs. identifiers, On those spoofed domain names...

John Levine johnl at iecc.com
Mon Mar 19 12:48:44 EDT 2018


In article <20180319155456.GA7255 at localhost> you write:
>> Also right.  If you bother to learn about normalization and IDNA and
>> PRECIS and label generation rules, you can come up with usable subsets
>> of Unicode for identifiers.  It's not perfect as the Krebs article
>> rediscovered; you can't totally avoid homoglyphs, but that is not new
>> (MICR0SOFT and paypaI) and there are ways to mitigate the damage [ with scripts
and profiles].

>A list of sets of homoglyphs is feasible, but it will take time to come
>up with something remotely complete. ...

I do not think that is true.  Look at the way that characters are
composed in many Asian languages and you quickly run into an
exponential explosion of things to compare to see if they look the
same, and sameness that changes depending on the typefaces you're
using.

The point of scripts and language profiles is that people have a
pretty good intuition of what characters a language uses and how you
can combine them and still make sense.  Also remember that input
methods are not standardized, the way you switch scripts in the middle
of a word really really isn't standardized even where it's possible,
and a name isn't very useful if you can't figure out how to type it.

R's,
John


More information about the cryptography mailing list