by Michael S. Kaplan, published on 2005/09/09 08:59 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2005/09/09/462880.aspx
A recent thought from a reader, sent via the Contact link:
Hi. I actualy tried finding the correct blog post to submit this response too - but I couldn't
Anyways - A while ago you had a couple of posts on internationalized text esspecially in the browser however you also mentioned how it can be used to cloak a bad file in explorer etc...
Would this make any sense at all?
In vista- Create a "Secure Unicode" Rendering function - Sort of a "overriden" implemetation of drawText that will draw a little squiglly under any unicode charecter that is deemed suspious (You linked to a RFC that had some good ideas there) - this suiglly would be draw in the sane pen as the font and it would look similiar to the squiggly that word draws under misspelled words.
In any situtation where a unicode char might be used to fool the user into doing something he probablyu does not want to do Windows ,(and third party apps0 can use this version to ensure that the user is notified when a charecter might not be exactly what it looks like.
I can see this being used in windows explorer for file listings - or perhpas in login text boxes etc, email address boxes (I can send yo a link asking you to send sensitive info to a email address that looks similiar to an address you trust) etc....
Just a thought (obvioussly..)
This is an interesting suggestion, and it would be a fascinating use of the mitigation tools for IDN security problems that I posted about last month in any application, whether it was from Microsoft or not, even if a specific Win32 or managed API function were not added to the platform or the .NET Framework.
But with that said, it would be fascinating to see such a function!
I would love to see such an idea with even more functionality, like an underlying "confidence level" that would score the confidence that a string was in fact valid and a way to pass to the function the score required to show the visual difference between the two forms of text. And maybe even two HDC values, one for the safe text and the other for the potentially suspect text. I think it would be a fascinating extension to the tools that were originally posted for dealing with IDN security problems but which obviously could play a much wider role in software.
So it is just a thought but one that is good enough that I would even give it attribution had the person left a full name. :-)
Now the original functionality was added in these the final days of the 'Whidbey' product cycle so it was really too late to add any more functionality there, and it is unclear what more could be added to Vista in the way of new features, but the idea (as evidenced by the ideas I spitballed in just a few moments two paragraphs ago!) has a lot of potential in my mind as a functionality.
I do not know if such a function is planned, but it may already be in the works. If I hear anything I'll let you know, I think it is a truly intruiging thought, the potential design of which would make for a fascinating interview question, I think.... :-)
This post brought to you by "а" (U+0430, a.k.a. CYRILLIC SMALL LETTER A)
(the original sponsor of the mitigation post, and a letter that truly resents those who would USE it to try to fool users of computers in any kind of phishing expedition!)
# Gabe on 9 Sep 2005 12:13 PM:
# Stephane Rodriguez on 9 Sep 2005 12:30 PM:
# Michael S. Kaplan on 9 Sep 2005 12:48 PM:
# Michael S. Kaplan on 9 Sep 2005 12:48 PM: