Re: IDN problem.... :(

From: Elliotte Harold (
Date: Fri Feb 11 2005 - 16:18:30 CST

  • Next message: D. Starner: "Re: IDN problem.... :("

    Adam Twardoch wrote:

    > This is so anti-i18n. The idea behind IDN was to stop the hegemony of
    > the Latin script in domain names. Solutions that prevent the spoofs
    > should not again start building up the "our people vs. foreign people"
    > way of thinking.

    I don't think it was ever really a problem of "our people vs. foreign
    people" but more of a complete lack of consideration for non-English
    uses. The English speakers neither knew nor considered the needs of
    non-English speakers. The result, naturally enough, was an
    English/ASCII-centric Internet.

    It took a long time to change that, and the work still isn't done.
    However, the current problem is that the reaction to ASCII-centricity
    has gotten so extreme amongst the I18N community that there is simply no
    acknowledgment that IDN causes real problems for real users, and there
    is no willingness to accept any compromise on issues of
    internationalization, no matter how damaging the side effects are. I
    have heard again and again in multiple fora and multiple areas that
    anything less than an ideal solution is morally wrong, and that anyone
    who even raises the suggestion that there might be trade-offs to be
    considered is morally suspect.

    If the I18N community doesn't begin to pay serious attention to the
    needs of other communities that are negatively impacted by their
    specifications, those users are going to stop implementing and
    supporting those specifications. The result could be a rapid fracturing
    of the web, as the English-speaking nations shut themselves off from the
    rest of the world. If the problems become severe enough, even the
    non-English speaking/non-Latin-writing world may start rejecting IDNs.
    It's important to have domain names in one's own language, but after
    bank customers start losing real money to these attacks, people may
    begin to evaluate just how important that.

    This would be a tragedy, but it's already happening. I am watching
    multiple lists now that are producing and distributing hacks to
    completely disable IDN in various browsers. These hacks are typically
    written by developers who neither know nor care about I18N issues, but
    care a great deal about protecting themselves and their customers from
    phishing and pharming.

    The spoofing issues that have gotten play lately are nothing new. They
    were raised repeatedly by multiple people including myself several years
    ago when IDN was being developed. The working group never seriously
    addressed the problem, and I still hear many people sticking their heads
    in the sand and claiming it's somehow not the fault of IDN, or that
    there isn't a problem, or that because we've been able to register before now, somehow making the problem a thousand times worse
    is not worth talking about.

    If the IETF does not wake up and recognize the major problems they've
    caused for many users, then IDNs are dead. They will be completely
    disabled in browsers and blocked at the firewalls and routers, and
    sooner rather than later. That would be a shame, but sadly it may be
    better than the alternative. There are reasonable compromises that could
    be made which would radically diminish the effectiveness of this attack
    while still satisfying most realistic use cases for IDNs. However,
    unless the IDN group is willing to start talking compromise and damage
    control, then, politically correct or not, a lot of the world is going
    to shut out IDNs.

    Elliotte Rusty Harold
    XML in a Nutshell 3rd Edition Just Published!

    This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 16:19:13 CST