From: Neil Harris (neil@tonal.clara.co.uk)
Date: Thu Feb 10 2005 - 20:14:41 CST
Addison Phillips [wM] wrote:
>>Nah. It's poor design of IDN. They should have disallowed mixing
>>characters
>>from different scripts in one URL. It wouldn't have ruled out all of the
>>problems, but most of them.
>>
>>
>
>I disagree. There are plenty of cases in which scripts are mixed naturally in languages that use non-Latin scripts. For example, many languages use the Latin digits in preference to native script digits. Should we allow the Latin digits into a non-ASCII domain name? Oh, the slippery slope...
>
>For that matter, I can construct a perfect "paypal" string using ONLY Cyrillic letters. Restrictions to one script doesn't prevent the homograph attack. It just requires one to be more clever.
>
>U+0440 U+0430 U+0443 U+0440 U+0430 U+04C0 looks just as good in my browser...
>
>Addison
>
>
>
>
My, that's ingenious. If I was paypal, I'd be rushing to register all
those domains right now. Could you please have a look at the discussion
that's been going on on Bugzilla regarding the Mozilla and Firefox
aspects of this problem? It's at
https://bugzilla.mozilla.org/show_bug.cgi?id=279099
Yes, we thought of preventing script mixing (but making a special case
for the digits and hyphen-minus), but your example is rather alarming.
-- Neil
This archive was generated by hypermail 2.1.5 : Thu Feb 10 2005 - 20:17:25 CST