From: Addison Phillips [wM] (email@example.com)
Date: Thu Feb 10 2005 - 22:18:25 CST
> >I disagree. There are plenty of cases in which scripts are mixed
> >naturally in languages that use non-Latin scripts. For example, many
> >languages use the Latin digits in preference to native script digits.
> >Should we allow the Latin digits into a non-ASCII domain name? Oh, the
> >slippery slope...
> Browsers should be configurable to allow, but default to, displaying a
> warning before going to a mixed-script domain name.
I don't disagree. All I'm saying is that banning mixed-script domain names
is not really viable.
> >For that matter, I can construct a perfect "paypal" string using ONLY
> >Cyrillic letters. Restrictions to one script doesn't prevent the
> >homograph attack. It just requires one to be more clever.
> Single-script domain names visually similar to names in other scripts
> should be disallowed.
This will be difficult: it isn't something computational. It requires a
human to do it. Register a domain name lately? Are we going to require that
only dictionary words be registered? This all strikes me as an unreasonable
limitation on domain names (and there will still be a few cases of
vulnerability). We should allow for cleverness, as long as it isn't harmful.
The problem with that definition is obvious, I take it?
I don't have a solution at hand, other than thinking that this, like the
"Unicode mail virus" of a few months ago, is a tempest in a teapot. People
will adapt to it, just like they adapted to email from Nigeria and so forth.
It is part of the complexity of modern life. But really... no solution to
internationalized domain names will be immune to this species of spoofing.
There are many attacks (some more subtle than others) available (from
"similar" Han characters to pure homographs and everything in between). I
think that the reaction is probably rather alarmist.
Not to minimize the problem, but going back to an ASCII-only past is not a
Addison P. Phillips
Director, Globalization Architecture
Chair, W3C Internationalization Core Working Group
Internationalization is an architecture.
It is not a feature.
This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 22:21:45 CST