- From: Mark E. Shoulson <mark@kli.org>
- Date: Sun, 13 Feb 2005 16:39:07 +0900
- To: www-international@w3.org
It seems to me unfair and misleading to call this a "flaw" in Firefox et al. In fact, the browsers are just following the standard (whose standard is this? I can never keep track of the alphabet soup of standards organizations) and enabling IDNs--which people must be wanting browsers to support, right? It's hardly the browser's fault if the *standard* is itself subject to these shenanigans. The simplest solution is just to pitch IDNs entirely. Is that what people actually want?? And even that still leaves problems with micros0ft.com and goog1e.com and such games. I thought when this was last discussed, people were saying that the registries should perform such checks and not permit "too-close" domain names. That does seem like something of a burden for the registry; can they be expected to catch them all? The different-colors-for-different-blocks plan seems like a good start. A warning that there *is* punycode happening is probably a good plan too, which I had not thought of. But to say this is a "flaw" that IE doesn't have is misrepresenting the situation. It's a feature based on an inherently risky standard that IE doesn't support. ~mark John Burger wrote: >Frank Yung-Fong Tang wrote: > >>Any one have any comment about >>https://bugzilla.mozilla.org/show_bug.cgi?id=279099 > > >Here's a popular press description of the problem > >http://www.macworld.com/news/2005/02/08/spoof/index.php > >which points to a test for it at Secunia.com. (They registered paypal.com >spelled with a Cyrillic "a".) Ironically, IE doesn't fall for the spoof, >because it apparently doesn't handle IDNs. Of course, from a user >interface perspective, browsers need to do something about this, but I >find it annoying that it's described as a "security flaw". My browser >doesn't warn me about g00g1e.com yet, either. > >- John D. Burger >MITRE >
Received on Monday, 14 February 2005 00:53:16 UTC