W3C home > Mailing lists > Public > www-international@w3.org > January to March 2005

RE: IDN problem.... :(

From: Addison Phillips [wM] <aphillips@webmethods.com>
Date: Thu, 10 Feb 2005 17:17:54 -0800
To: "Adam Twardoch" <list.adam@twardoch.com>, "John Hudson" <tiro@tiro.com>, "John Burger" <john@mitre.org>
Cc: <www-international@w3.org>, "Unicode Mailing List" <unicode@unicode.org>
Message-ID: <PNEHIBAMBMLHDMJDDFLHKEEBJDAA.aphillips@webmethods.com>

> Nah. It's poor design of IDN. They should have disallowed mixing 
> characters 
> from different scripts in one URL. It wouldn't have ruled out all of the 
> problems, but most of them.

I disagree. There are plenty of cases in which scripts are mixed naturally in languages that use non-Latin scripts. For example, many languages use the Latin digits in preference to native script digits. Should we allow the Latin digits into a non-ASCII domain name? Oh, the slippery slope...

For that matter, I can construct a perfect "paypal" string using ONLY Cyrillic letters. Restrictions to one script doesn't prevent the homograph attack. It just requires one to be more clever.

U+0440 U+0430 U+0443 U+0440 U+0430 U+04C0 looks just as good in my browser...

Addison

Addison P. Phillips
Director, Globalization Architecture
http://www.webMethods.com

Chair, W3C Internationalization Core Working Group
http://www.w3.org/International

Internationalization is an architecture. 
It is not a feature.

> -----Original Message-----
> From: unicode-bounce@unicode.org 
> [mailto:unicode-bounce@unicode.org]On Behalf Of Adam Twardoch
> Sent: 2005年2月10日 16:27
> To: John Hudson; John Burger
> Cc: www-international@w3.org; Unicode Mailing List
> Subject: Re: IDN problem.... :(
> 
> 
> 
> ----- Original Message ----- 
> From: "John Hudson" <tiro@tiro.com>
> 
> > The security issue is simply due to the fact that some characters 
> > typically look identical to other characters. So change the appearance.
> 
> Nah. It's poor design of IDN. They should have disallowed mixing 
> characters 
> from different scripts in one URL. It wouldn't have ruled out all of the 
> problems, but most of them.
> 
> A.
> 
> 
Received on Friday, 11 February 2005 01:20:53 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:04 GMT