SoylentNews is people
SoylentNews
Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.
https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/
Here are some of the applicable RFCs:
- RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
- RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
- RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
- RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
- RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
- RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
- RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
- RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
- RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
- RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale
This discussion has been archived.
No new comments can be posted.
Web Browsers and International Domain Names
|
Log In/Create an Account
| Top
| 74 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Life is to you a dashing and bold adventure.
(Score: 3, Interesting) by isj on Sunday March 11 2018, @07:29PM (5 children)
I mostly agree with you.
Note: My use of .ru TLD was a bad choice. The domains in .ru are using transliterated Russian letters, while the real Russian TLD is .рф
I think it is reasonable to require that if an average Russian goes to the президент.рф site which has cyrillic letters in it then the cyrillic letters are shown as they should - not as raw punycode.
And if an average German goes to www.bücher.de which has latin-1 letters in it then the latin-1 letters are shown as they should - not as raw punycode.
Now, if an average American goes to the президент.рф site? Well, since the TLD has a strict script policy (only cyrillic is allowed) it would be okay to show the cyrillic letters. Or the raw punycode. Either would be fine IMHO.
What about са.com (or any other TLD with loose script policy) ? This is where the idea of showing what the user should be familiar with as fine glyphs, and the unfamiliar stuff as punycode seems like a good idea. It would as you put it go a long way against click-jacking. The average American would see xn--80a7a.com while the average Russian would see са.com.
But then you have a nasty problem: The opposite case (plain ascii ca.com) the average Russian would see uhm... (you can't punycode-encode plain a-z) some clear indication that it is not cyrillic. But that would be silly because it is quite common. Are Russians tricked by cyrillic-looking glyphs, or are they just more aware of it? Inquiring minds want to know...
(Score: 3, Touché) by FatPhil on Sunday March 11 2018, @08:36PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by requerdanos on Monday March 12 2018, @12:41AM (1 child)
Looking at one, I see "president dot R F", and looking at the other, I would see "X N dash dash meaningless gibberish".
Sure, I know tastes vary, but--I can read one of those and can't read the other. Regardless of what the machine might be able to read.
(Score: 2) by isj on Monday March 12 2018, @12:58AM
My imperfect phrasing. What I meant was that I can see pros and cons of each approach in this particular unusual case and I don't have a strong opinion on that.
(Score: 2) by requerdanos on Monday March 12 2018, @12:47AM (1 child)
I do know that I've made the odd Russian-language post on this very site, to make a point (a sad tendency I have that sometimes casts my maturity in doubt), and been rebuffed by the lameness filter *unless* I substituted Latin characters for a certain percentage of the Cyrillic ones. The look the same, read the same, and though I am no Russian, they would sure fool me.
As a side note, it is amazing to me how much more slowly I type while using a Russian keyboard/keyboard layout than I do while using US-International layout. Is it just me?
(Score: 2) by isj on Monday March 12 2018, @01:22AM
I'm hoping that some Russians will chime in. I have no idea if there are the reverse phishing attacks using latin letters against cyrillic users.
Regarding keyboard layout: I imagine that it depends on what you type and how familiar you are with the keyboard layout. If you have been programming for a while then I imagine using any non-latin keyboard would be much slower due to lack of muscle memory. Typing on a french keyboard is no fun either if it is not your primary keyboard layout. It once took me 8 tries to type my password correctly on that abomination.