Florian Weimer wrote: > People are filing security bugs because of the homograph issue. But > is this a real security problem? Do you think we should change our > fonts so that 1, l and I (and O and 0, of course) are more different > visually? That misses part of the point of the homograph issue, which is that besides characters that look confusingly alike, unicode contains charaters that are *identical*, except for being in a different code pages. See http://www.cs.technion.ac.il/~gabr/papers/homograph_full.pdf Michael Stone wrote: > Yes it does. Ecommerce security is founded on the idea that if the > little padlock is lit up you're secure. That little padlock is based on > the name. And if you have trusted that little padlock with anything important anytime recently without at least making sure you have reasonable insurance, you've not been paying attention. FWIW, I've filed the bugs I did on this issue at normal priority, because it was not at all clear to me that the bug meets the criteria for being release critical, since the actual bug is in the basic design of unicode domain names, in the lacking procedures of the CAs and registrars who do not check for homograph issues, and in the overall design of so-called ecommerce "security". Any fixes in the packages can at best only be heuristics and workarounds, and will likely just lead to an escalating arms race if this problem is worth exploiting. -- see shy jo
Attachment:
signature.asc
Description: Digital signature