W3C home > Mailing lists > Public > www-international@w3.org > January to March 2005

Re: IDN problem.... :(

From: by way of Martin Duerst <neil@tonal.clara.co.uk>
Date: Sun, 13 Feb 2005 16:39:37 +0900
Message-Id: <6.0.0.20.2.20050213163933.0731de00@localhost>
To: www-international@w3.org




Addison Phillips [wM] wrote:

>>Nah. It's poor design of IDN. They should have disallowed mixing 
>>characters from different scripts in one URL. It wouldn't have ruled out 
>>all of the problems, but most of them.
>>
>
>I disagree. There are plenty of cases in which scripts are mixed 
>naturally in languages that use non-Latin scripts. For example, many 
>languages use the Latin digits in preference to native script digits. 
>Should we allow the Latin digits into a non-ASCII domain name? Oh, the 
>slippery slope...
>
>For that matter, I can construct a perfect "paypal" string using ONLY 
>Cyrillic letters. Restrictions to one script doesn't prevent the homograph 
>attack. It just requires one to be more clever.
>
>U+0440 U+0430 U+0443 U+0440 U+0430 U+04C0 looks just as good in my browser...
>
>Addison
>
>
>
My, that's ingenious. If I was paypal, I'd be rushing to register all 
those domains right now. Could you please have a look at the discussion 
that's been going on on Bugzilla regarding the Mozilla and Firefox aspects 
of this problem? It's at https://bugzilla.mozilla.org/show_bug.cgi?id=279099

Yes, we thought of preventing script mixing (but making a special case for 
the digits and hyphen-minus), but your example is rather alarming.

-- Neil
Received on Monday, 14 February 2005 00:53:18 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 2 June 2009 19:17:04 GMT