Re: IDN problem.... :(

From: Neil Harris (
Date: Fri Feb 11 2005 - 17:45:57 CST

  • Next message: Karl Pentzlin: "Re[2]: IDN problem.... :("

    Doug Ewell wrote:

    >D. Starner <shalesller at writeme dot com> wrote:
    >>>But it can work "both ways". Someone could spoof a brand-new Cherokee
    >>>banking site, ᏣᎳᎩ.com, with GWУ.com. Perhaps "Domain name is not in
    >>>the script used by your computer operating system."
    >>And how many Cherokee are actually using an OS translated into
    >>Cherokee? I doubt there is such a thing, and have seen no efforts on
    >>Linux i18n lists to start it.
    >Curtis's point may have been that non-Latin letters can be spoofed with
    >Latin letters, not merely the other way around as we usually think of
    >For a more realistic example, imagine a hypothetical Russian site,
    >русский.com. Now imagine any or all of the first four letters replaced
    >with Latin p or y or c.
    >My question is, suppose I *want* to visit русский.com? Perhaps my
    >browser should alert me, but it must not prevent me from visiting the
    >-Doug Ewell
    > Fullerton, California
    But why would anyone, want to register that half-Latin, half-Cyrillic
    mess of a broken label, when the all-Cyrillic label would make more
    sense to register, unless they had a dubious motive for doing so? And,
    if the registrars actually played by the _existing_ IANA rules, none of
    them would let it be registered in any case.

    I would like to believe that in a properly-run IDN world, registering a
    label like that would be the equivalent of registering an incorrectly
    normalized Punycoded label. Yes, in some sense it might be technically
    possible to not care about normalization forms, but in practice they are
    there for a good reason, even though they represent a reduction in the
    overall space of possible labels. Similarly, I think that the IANA/IETF
    community are going to have to enforce some more restrictions on labels
    if the IDN universe to make IDN safer to deploy, to prevent it from
    being Balkanized into a locked-down old-ASCII world and a world of
    second-class spoofable IDN domains.

    -- Neil

    This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 17:46:45 CST