Stories
Slash Boxes
Comments

SoylentNews is people

Web Browsers and International Domain Names

posted by martyb on Sunday March 11 2018, @10:39AM   Printer-friendly
from the söylêntnéws.org dept.

An Anonymous Coward writes:

Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.

https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

Here are some of the applicable RFCs:

  • RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
  • RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
  • RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
  • RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
  • RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
  • RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
  • RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
  • RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale

Original Submission

 
This discussion has been archived. No new comments can be posted.
Web Browsers and International Domain Names | Log In/Create an Account | Top | 74 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by requerdanos on Sunday March 11 2018, @03:35PM

    by requerdanos (5997) Subscriber Badge on Sunday March 11 2018, @03:35PM (#650932) Journal

    I'm willing to wager most of the "fool you with similar character" URL are directed specifically at the "I expect ASCII" crowd (aka me!).

    Let's imagine a site in the Russian-language world called привет.com (привет ~= "privyet" ~= "hi"). (This exists, with only a parking page at http://привет.com/.) [привет.com]

    If we replace the Cyrillic "в" with the latin "B", or worse, replace the Cyrillic "е" and "р" with latin "e" and "p", we get lots of variants that look identical, or almost identical, to our hypothetical original.

    So perhaps it's not the sophisticated world directing "fool you with similar" attacks at the "I Expect ASCIIs" but the "criminal element" directing "fool with similar" attacks at all-and-sundry.

    Changing color based on which Unicode page a character is from would admittedly reveal this just as well, But Ivan Pa-Russki and many others would have to put up with their address bar being an ugly error-red indicating "normal" and friendly ordinary black meaning "someone is trying to fool you."

    Punycode probably isn't a universal answer--the friendly "привет.com" becomes "xn--b1agh1afp.com" in punycode (Blag one a fop? Blog one a fip?). Which would be sort of like "google.com" always showing up as "qz--jkl2h298398j.com" for us ASCII folks. I.e. similar problem to the red-coding, but worse because instead of turning letters red, it renders them unreadable.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2