

Unicode Security Considerations: URL spoofing etc - bensummers
http://unicode.org/reports/tr36/tr36-8.html

======
_delirium
The changes to the internationalized domain-name rules this document links to
are particularly scary:
<http://www.unicode.org/reports/tr46/#Security_Considerations>

Some identical Unicode strings might resolve to different domains depending on
what version of a browser you're using!

------
Groxx
Personally, I'd like to see a system where the language of a character is
colorized in the browser. This way, the mixed script spoofing [1] would
highlight the first example's "o" in a different color, as it comes from greek
text instead of ASCII. It should be an always-on system, so when an entire URL
is in a different-but-similar-looking-to-your-language text, it'd be
highlighted differently. The system / browser's "main" language wouldn't need
to be highlighted, but all others should, to make other languages easily
visible.

That, and _always_ having a "punycode" translation available would be useful,
and browsers should use the browsing history to point out similar-looking URLs
that are different. I'd imagine such a similarity-mapping on UTF-16 exists,
though at worst case it could just graphically compare the characters.

[1]
[http://unicode.org/reports/tr36/tr36-8.html#Mixed_Script_Spo...](http://unicode.org/reports/tr36/tr36-8.html#Mixed_Script_Spoofing)

------
Sidnicious
I'm not vulnerable to phishing anymore, because I use a password manager. If
it doesn't submit a password, I know I'm on the wrong website.

A big chunk of these problems (and phishing in general) would go away if users
weren't responsible for authenticating websites by _looking at_ the URL. Good,
portable password management needs to become more common.

