Re: IDN problem.... :(

From: Mark E. Shoulson (
Date: Thu Feb 10 2005 - 18:38:26 CST

  • Next message: Addison Phillips [wM]: "RE: IDN problem.... :("

    It seems to me unfair and misleading to call this a "flaw" in Firefox et
    al. In fact, the browsers are just following the standard (whose
    standard is this? I can never keep track of the alphabet soup of
    standards organizations) and enabling IDNs--which people must be wanting
    browsers to support, right? It's hardly the browser's fault if the
    *standard* is itself subject to these shenanigans.

    The simplest solution is just to pitch IDNs entirely. Is that what
    people actually want?? And even that still leaves problems with and and such games. I thought when this was
    last discussed, people were saying that the registries should perform
    such checks and not permit "too-close" domain names. That does seem like
    something of a burden for the registry; can they be expected to catch
    them all?

    The different-colors-for-different-blocks plan seems like a good start.
    A warning that there *is* punycode happening is probably a good plan
    too, which I had not thought of.

    But to say this is a "flaw" that IE doesn't have is misrepresenting the
    situation. It's a feature based on an inherently risky standard that IE
    doesn't support.


    John Burger wrote:

    > Frank Yung-Fong Tang wrote:
    >> Any one have any comment about
    > Here's a popular press description of the problem
    > which points to a test for it at (They registered
    > spelled with a Cyrillic "a".) Ironically, IE doesn't fall
    > for the spoof, because it apparently doesn't handle IDNs. Of course,
    > from a user interface perspective, browsers need to do something about
    > this, but I find it annoying that it's described as a "security flaw".
    > My browser doesn't warn me about yet, either.
    > - John D. Burger
    > MITRE

    This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 18:39:16 CST