Re: IDN problem.... :( from Frank Yung-Fong Tang on 2005-02-14 (www-international@w3.org from January to March 2005)

From: Frank Yung-Fong Tang <ytang0648@aol.com>
Date: Mon, 14 Feb 2005 13:03:09 -0500
To: "Mark E. Shoulson" <mark@kli.org>
cc: www-international@w3.org
Message-ID: <4210E7DD.5070008@aol.com>

I think it is a 'flaw' because we didn't fully consider the whole 
consequence when we (I, Kat Momoi, Noaki Hotta, Bob Jung) decide to 
enable this feature in Mozilla codebase three years ago. It is at least 
a flaw in my personal decision making process. I feel bad about my 
decision now.

I think it is a flaw in Unicode standard too, to allow two distinct 
characters which occupy different code point that share the same visual 
representation. Of course, you can blame the font maker for that too. 
But what they can do when Unicode standard assign two code points for 
the same visual representation?


Mark E. Shoulson wrote on 2/13/2005, 2:39 AM:

 > It seems to me unfair and misleading to call this a "flaw" in Firefox et
 > al. In fact, the browsers are just following the standard (whose standard
 > is this? I can never keep track of the alphabet soup of standards
 > organizations) and enabling IDNs--which people must be wanting
 > browsers to
 > support, right? It's hardly the browser's fault if the *standard* is
 > itself
 > subject to these shenanigans.
 >
 > The simplest solution is just to pitch IDNs entirely. Is that what people
 > actually want?? And even that still leaves problems with micros0ft.com
 > and
 > goog1e.com and such games. I thought when this was last discussed, people
 > were saying that the registries should perform such checks and not permit
 > "too-close" domain names. That does seem like something of a burden
 > for the
 > registry; can they be expected to catch them all?
 >
 > The different-colors-for-different-blocks plan seems like a good start.

I don't think normal people will understand that though.

A
 > warning that there *is* punycode happening is probably a good plan too,
 > which I had not thought of.
 >
 > But to say this is a "flaw" that IE doesn't have is misrepresenting the
 > situation. It's a feature based on an inherently risky standard that IE
 > doesn't support.
 >
 > ~mark
 >
 > John Burger wrote:
 >
 > >Frank Yung-Fong Tang wrote:
 > >
 > >>Any one have any comment about
 > >>https://bugzilla.mozilla.org/show_bug.cgi?id=279099
 > >
 > >
 > >Here's a popular press description of the problem
 > >
 > >http://www.macworld.com/news/2005/02/08/spoof/index.php
 > >
 > >which points to a test for it at Secunia.com. (They registered
 > paypal.com
 > >spelled with a Cyrillic "a".) Ironically, IE doesn't fall for the spoof,
 > >because it apparently doesn't handle IDNs. Of course, from a user
 > >interface perspective, browsers need to do something about this, but I
 > >find it annoying that it's described as a "security flaw". My browser
 > >doesn't warn me about g00g1e.com yet, either.
 > >
 > >- John D. Burger
 > >MITRE
 > >
 >
 >
 >

Received on Monday, 14 February 2005 18:04:15 UTC