Hi Andrzej- I saw that you responded to the mozilla ticket. Thank you for taking the time to do this. I understand that the visual ae issue or other ligature type combinations were not considered in the very good work that you did in the efforts with NASK to be a variant, and I have also heard from Denic about the manner in which a similar circumstance exists with the sharp s character. I think personally that I have heard compelling anecdotal descriptions that justify the case where there could and rightly should be two separate websites for two separate domains with two separate meanings. There are also crafty entrepreneurial participants on the internet that don't always have the best interest of the end user in mind who could leverage the visual similarity between the strings in a manner that is arguably bad for the end-user, either in a confusing manner or in some cases worse. There is always ongoing discussion about the evolution of 'doing the right thing' with Mozilla as far as the approach taken with addressing visual variations. The objective is to ensure the least end-user confusion. Without saying it is right or wrong how some software behaves in the presence of ligature or other visual variants that split one character into more than one, I think for the purposes and context of VIP simply exposing those as distinct variant types. Let's simply document this as a type of variant. This is was what the context and intent of my mention was. -Jothan Jothan Frakes +1.206-355-0230 tel +1.206-201-6881 fax On Mon, Jul 25, 2011 at 2:32 AM, Andrzej Bartosiewicz <andrzej@yonita.com> wrote:
On 7/24/2011 11:03 PM, Jothan Frakes wrote:
Nice work, Andrzej-
You might want to expose the tæst1234.pl (xn--tst1234-mxa.pl) and taest1234.pl homograph potential in this which is something that has occurred since.
https://bugzilla.mozilla.org/show_bug.cgi?id=618051#c12
Dear Jothan,
I have also commented on the discussion @mozilla.org list.
I'm really confused what is the strategy of Mozilla regarding "variants" or look-alike domains. I have no problmem with "æ" and "ae", as well as I have no problem with "O" and "0". It's insane to protect us against any similarities, which will lead to very strange and complicated policies.
As I know, nobody in Europe has ever used maliciously the case of "æ" (which is allowed by many ccTLD), so maybe this is a dead-end to explore such cases by security experts? Maybe Mozilla and we should rather focus on real-life examples, not theoretical one?
As I mentioned in Singapore, I would prefer discussion based on the list of existing "pairs" of look-alike / variant characters (or combination of characters), not the theoretical discussions of what is variant and what is not. If we create a list "pairs" (including example of U+00E6), we can go through the list and make recommendations.
Maybe I'm wrong, but we can make our job much easier and more useful in practice if we follow the EXAMPLES, not DEFINITIONS.
Andrzej
-- Dr. Andrzej Bartosiewicz, CEO & President, Yonita Inc. phone (US): +1 650 2493707 phone (Poland): +48 518 235209