Re: IDN problem.... :(

From: Neil Harris (neil@tonal.clara.co.uk)
Date: Thu Feb 10 2005 - 20:14:41 CST

  • Next message: Addison Phillips [wM]: "RE: IDN problem.... :("

    Addison Phillips [wM] wrote:

    >>Nah. It's poor design of IDN. They should have disallowed mixing
    >>characters
    >>from different scripts in one URL. It wouldn't have ruled out all of the
    >>problems, but most of them.
    >>
    >>
    >
    >I disagree. There are plenty of cases in which scripts are mixed naturally in languages that use non-Latin scripts. For example, many languages use the Latin digits in preference to native script digits. Should we allow the Latin digits into a non-ASCII domain name? Oh, the slippery slope...
    >
    >For that matter, I can construct a perfect "paypal" string using ONLY Cyrillic letters. Restrictions to one script doesn't prevent the homograph attack. It just requires one to be more clever.
    >
    >U+0440 U+0430 U+0443 U+0440 U+0430 U+04C0 looks just as good in my browser...
    >
    >Addison
    >
    >
    >
    >
    My, that's ingenious. If I was paypal, I'd be rushing to register all
    those domains right now. Could you please have a look at the discussion
    that's been going on on Bugzilla regarding the Mozilla and Firefox
    aspects of this problem? It's at
    https://bugzilla.mozilla.org/show_bug.cgi?id=279099

    Yes, we thought of preventing script mixing (but making a special case
    for the digits and hyphen-minus), but your example is rather alarming.

    -- Neil



    This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 20:17:25 CST