Stories
Slash Boxes
Comments

SoylentNews is people

Web Browsers and International Domain Names

posted by martyb on Sunday March 11 2018, @10:39AM   Printer-friendly
from the söylêntnéws.org dept.

An Anonymous Coward writes:

Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.

https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

Here are some of the applicable RFCs:

  • RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
  • RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
  • RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
  • RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
  • RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
  • RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
  • RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
  • RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale

Original Submission

 
This discussion has been archived. No new comments can be posted.
Web Browsers and International Domain Names | Log In/Create an Account | Top | 74 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Insightful) by requerdanos on Sunday March 11 2018, @03:44PM (3 children)

    by requerdanos (5997) Subscriber Badge on Sunday March 11 2018, @03:44PM (#650933) Journal

    Perfect example of idiots bending over backward to appease the politically correct crowd - and exposing people to exploits.
    If you're using a Mozilla product, the fix is easy.

    f you’re a Firefox user and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type “about:config” without the quotes into a Firefox address bar. Then in the “search:” box type “punycode,”

    Yes, that is a pretty perfect example, and yes, it exposes people to trivial exploits. But the "fix" fixes one problem and introduces another.

    "Punycode" is a method to translate non-ascii but perfectly readable text into illegible gibberish. Since I can read words in more than one alphabet--I'd wager that most people in the world do this, though admittedly I don't know if that translates to most Internet users--that's no fix. It creates its own class of problem: Now I would be expecting that perfect-readable-words.com would display as "xn--gibberish2389.com" and I wouldn't be disappointed, whether I was at the legitimate site or at some spoofed alternative.

    Not being able to read the domain name (punycode prevents this) but rather being shown a mathematically coded representation puts me at a disadvantage because now I can't quickly and easily spot obvious spoof-fakes. Don't even know what site is loaded except through context clues.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by driverless on Sunday March 11 2018, @10:50PM (2 children)

    by driverless (4770) on Sunday March 11 2018, @10:50PM (#651103)

    Not being able to read the domain name (punycode prevents this) but rather being shown a mathematically coded representation

    I've always felt that punycode should be called wtfcode, because, WTF? It has exactly the problem you mention, is incredibly complex to process, the code to do so is probably prone to all sorts of vulns because of its complexity, and all it's doing is taking something that's a problem and turning it into an even worse problem.

    • (Score: 3, Touché) by coolgopher on Monday March 12 2018, @01:02AM (1 child)

      by coolgopher (1157) on Monday March 12 2018, @01:02AM (#651151)

      Sounds like its true name then is XML... ;)

      • (Score: 0) by Anonymous Coward on Monday March 12 2018, @04:01AM

        by Anonymous Coward on Monday March 12 2018, @04:01AM (#651193)

        XML is like violence...