On Thu, 28 Jul 2005, Florian Weimer wrote:
Let me repeat my other argument: Users don't use domain names in trust assessments. The smarter ones seem to recall how they got to a particular page. This is quite consistent with real-world behavior.
Uh, I beg to differ -- most of my family would see h t t p : / / w w w . y a h <omicron> <omicron> . g r / and think "the Yahoo site in Greece". After all, it renders as precisely http://www.yahoo.gr/ on-screen, same character glyph, width, and all. This isn't a PR attack; it's a real inverse-Turing-test type of attack. People do look at URLs visually, and many can recognize the difference with simple homographs, but most, I assure you, cannot.
(Hint: In each group of three lines, the strings of characters are NOT identical, regardless of what your eyes may tell you.)
They appear differently because even though they are from a single font, the characters have slightly different widths.
Actually, out of all the fonts and OSs I tried, including one I prefer not to use or name but which many people do use, only the Cyrillic lowercase on one font on one OS had different widths, for exactly one character -- all others had identical widths. So you probably have a lucky font -- and you're fortunately already technically knowledgeable to know what a Unicode character is and how it's different from plain ASCII. Most users are *NOT* so lucky, as much as you'd hope for that.
This wouldn't matter in the location field, of course.
How so? The movement is in the direction of rendering IDNs natively as Unicode in the Location field, so this is exactly the same problem. (Hm. I'm beginning to smell the T-word, but I'll wait and see how thick the skull material is first.) -- -- Todd Vierling <tv@duh.org> <tv@pobox.com> <todd@vierling.name>