On Thursday 10 Feb 2005 7:15 pm, James Cloos wrote: > >>>>> "bill" == bill <[EMAIL PROTECTED]> writes: > > bill> but in which the letters "o" and "e" have been substituted with > bill> identical-looking substitutes from the Cyrillic alphabet > > Wasn't this supposed to be prevented by homograph unification > in the conversion from unicode/10646 to idn? > > Or did I miss a change in the proposal?
I think whatever you do you probably can't fully address the issue, not least it will depend on the fonts in use. As far as I'm concerned it is a "non-issue", we already know the DNS is vulnerable, as it sends unencrypted UDP packets around, at fairly predictable intervals, that in many cases don't even need to be spoofed to be accepted as valid data. As such you shouldn't depend on the DNS to return reliable data, if it matters encrypt it using established chains of trust, be it GPG or HTTPS. In most phishing scams I see the URL is already fully disguised in the actual emails, and only becomes revealed when in the browser window, and there are enough serious site still using IP addresses for this sort of stuff, that no one raises an eyebrow, when www.paypal.com sends you off to a.b.c.d
