W3C home > Mailing lists > Public > www-international@w3.org > January to March 2005

Re: IDN problem.... :(

From: Mark E. Shoulson <mark@kli.org>
Date: Sun, 13 Feb 2005 16:39:07 +0900
Message-Id: <6.0.0.20.2.20050213163903.0731e080@localhost>
To: www-international@w3.org




It seems to me unfair and misleading to call this a "flaw" in Firefox et 
al. In fact, the browsers are just following the standard (whose standard 
is this? I can never keep track of the alphabet soup of standards 
organizations) and enabling IDNs--which people must be wanting browsers to 
support, right? It's hardly the browser's fault if the *standard* is itself 
subject to these shenanigans.

The simplest solution is just to pitch IDNs entirely. Is that what people 
actually want?? And even that still leaves problems with micros0ft.com and 
goog1e.com and such games. I thought when this was last discussed, people 
were saying that the registries should perform such checks and not permit 
"too-close" domain names. That does seem like something of a burden for the 
registry; can they be expected to catch them all?

The different-colors-for-different-blocks plan seems like a good start. A 
warning that there *is* punycode happening is probably a good plan too, 
which I had not thought of.

But to say this is a "flaw" that IE doesn't have is misrepresenting the 
situation. It's a feature based on an inherently risky standard that IE 
doesn't support.

~mark

John Burger wrote:

>Frank Yung-Fong Tang wrote:
>
>>Any one have any comment about
>>https://bugzilla.mozilla.org/show_bug.cgi?id=279099
>
>
>Here's a popular press description of the problem
>
>http://www.macworld.com/news/2005/02/08/spoof/index.php
>
>which points to a test for it at Secunia.com. (They registered paypal.com 
>spelled with a Cyrillic "a".) Ironically, IE doesn't fall for the spoof, 
>because it apparently doesn't handle IDNs. Of course, from a user 
>interface perspective, browsers need to do something about this, but I 
>find it annoying that it's described as a "security flaw". My browser 
>doesn't warn me about g00g1e.com yet, either.
>
>- John D. Burger
>MITRE
>
Received on Monday, 14 February 2005 00:53:16 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:04 GMT