The Unicode standard actually cross-references each character and visually-indistinct glyph. It might be useful to go through it (I'm away from my hardcopy of the Unicode 5.0 Standard at the moment, else I'd look).
-Kyle H On Fri, Feb 27, 2009 at 2:15 AM, Jean-Marc Desperrier <jmd...@alussinan.org> wrote: > Until a better solution is deployed, here is the work around to make Moxie > Marlinspike's attack ineffective. > > - select and copy in your clipboard the character inside the " below : > "╱" > This character looks similar to / but is not the same ! > This message is sent in unicode to allow for proper transmission of that > character. > > - type about:config in Firefox url bar > > - type blacklist_chars in the Filter line > > - Click to modify the network.IDN.blacklist_chars preference > > - Click inside the preference content and paste the character from you > clipboard. > Do not overwrite any of the characters already present ! > > - validate the change > > - try to access this url > http://www.google.xn--comaccountsservicelogin-5j9pia.f.ijjk.cn/ > > - After it times-out, you'll see the following message : > « Firefox can't find the server at > www.google.xn--comaccountsservicelogin-5j9pia.f.ijjk.cn. » > > - Without that change you would have seen : > « Firefox can't find the server at > www.google.com╱accounts╱servicelogin.f.ijjk.cn » > > PS : Marlinspike refers to a character visually similar to "?" in his > presentation. I haven't found what it is, I've only found "‽". You can > repeat the process above with "‽". > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
