[vip] Educational session on existing variant practices

[Jothan Frakes]

Hi Andrzej-

I saw that you responded to the mozilla ticket.  Thank you for taking
the time to do this.

I understand that the visual ae issue or other ligature type
combinations were not considered in the very good work that you did in
the efforts with NASK to be a variant, and I have also heard from
Denic about the manner in which a similar circumstance exists with the
sharp s character.

I think personally that I have heard compelling anecdotal descriptions
that justify the case where there could and rightly should be two
separate websites for two separate domains with two separate meanings.

There are also crafty entrepreneurial participants on the internet
that don't always have the best interest of the end user in mind who
could leverage the visual similarity between the strings in a manner
that is arguably bad for the end-user, either in a confusing manner or
in some cases worse.

There is always ongoing discussion about the evolution of 'doing the
right thing' with Mozilla as far as the approach taken with addressing
visual variations.  The objective is to ensure the least end-user
confusion.

Without saying it is right or wrong how some software behaves in the
presence of ligature or other visual variants that split one character
into more than one, I think for the purposes and context of VIP
simply exposing those as distinct variant types.

Let's simply document this as a type of variant.

This is was what the context and intent of my mention was.

-Jothan

Jothan Frakes
+1.206-355-0230 tel
+1.206-201-6881 fax



On Mon, Jul 25, 2011 at 2:32 AM, Andrzej Bartosiewicz
<andrzej at yonita.com> wrote:
> On 7/24/2011 11:03 PM, Jothan Frakes wrote:
>
> Nice work, Andrzej-
>
> You might want to expose the tæst1234.pl (xn--tst1234-mxa.pl) and
> taest1234.pl homograph potential in this which is something that has
> occurred since.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=618051#c12
>
>
> Dear Jothan,
>
> I have also commented on the discussion @mozilla.org list.
>
> I'm really confused what is the strategy of Mozilla regarding "variants" or
> look-alike domains. I have no problmem with "æ" and "ae", as well as I have
> no problem with "O" and "0". It's insane to protect us against any
> similarities, which will lead to very strange and complicated policies.
>
> As I know, nobody in Europe has ever used maliciously the case of "æ" (which
> is allowed by many ccTLD), so maybe this is a dead-end to explore such cases
> by security experts? Maybe Mozilla and we should rather focus on real-life
> examples, not theoretical one?
>
> As I mentioned in Singapore, I would prefer discussion based on the list of
> existing "pairs" of look-alike / variant characters (or combination of
> characters), not the theoretical discussions of what is variant and what is
> not. If we create a list "pairs" (including example of U+00E6), we can go
> through the list and make recommendations.
>
> Maybe I'm wrong, but we can make our job much easier and more useful in
> practice if we follow the EXAMPLES, not DEFINITIONS.
>
> Andrzej
>
> --
> Dr. Andrzej Bartosiewicz, CEO & President, Yonita Inc.
> phone (US): +1 650 2493707
> phone (Poland): +48 518 235209