ayyghost
commented
8 years ago To clarify, the above trick was achieved using Cyrillic Small Letter O (U+043E) and Cyrillic Small Letter A (U+0430) characters.
Closed ayyghost closed 6 years ago
ayyghost
commented
8 years ago To clarify, the above trick was achieved using Cyrillic Small Letter O (U+043E) and Cyrillic Small Letter A (U+0430) characters.
Lohikar
commented
8 years ago Well, the colors in chat should provide a way to differentiate between the two unicode-differentiated people (assuming the gen doesn't make similar colors). Maybe we should show the user color in the buddy list too?
ayyghost
commented
8 years ago That may be a good idea, but if we're going to do that, we should also implement deterministically generated colors that are significantly far apart from one another.
Edit: I know you can't 100% enforce color disparity if the generation is deterministic, but something like hash(nickname + fingerprint) should suffice.
Lohikar
commented
8 years ago We could keep the random colors, but force the colors to meet a minimum color difference.
ayyghost
commented
8 years ago I was thinking determinism because it be easier for more users to have a general consensus as to the identity of someone without manual verification. For example, you verify me, my color is green, so you tell everyone else that green ghost is the real one. Assuming you're also verified.
Lohikar
commented
8 years ago How will we enforce enough difference between colors with that method?
How will we make sure the colors look OK? The current biased random already makes poor colors, hashing would probably pick even worse ones.
ayyghost
commented
8 years ago The input entropy (OTR fingerprint) will be great enough to generate disparate enough colors. Does the current random color function use a CSPRNG? As for the aesthetics, that will have to be tweaked with.
Lohikar
commented
8 years ago The current method uses Math.random()
ayyghost
commented
8 years ago Which is awful for generating randomly distributed values.
Lohikar
commented
8 years ago Somewhat mitigated in commits 743dd010eafe1333943fafe2cdf23ce39ec2276e and dce9a7deaebbbb4144715e794d03511eeef27d1b. A warning symbol is now displayed beside users who have non-ASCII characters in their names.
You can impersonate someone who's already online by using the Unicode equivalents of characters in their nickname.
I'm against prohibiting Unicode nicks server-side, but I do think we should implement a client-side solution. Maybe by adding some visual indication for specific Unicode letters/numbers so users can't be tricked this way. We could just sanitize them the same way we sanitize certain other characters.