Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.

Web Browsers and International Domain Names

posted by martyb on Sunday March 11 2018, @10:39AM   Printer-friendly
from the söylêntnéws.org dept.

An Anonymous Coward writes:

Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.

https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

Here are some of the applicable RFCs:

  • RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
  • RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
  • RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
  • RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
  • RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
  • RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
  • RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
  • RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale

Original Submission

 
This discussion has been archived. No new comments can be posted.
Web Browsers and International Domain Names | Log In/Create an Account | Top | 74 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by darkfeline on Monday March 12 2018, @04:38PM (1 child)

    by darkfeline (1030) on Monday March 12 2018, @04:38PM (#651410) Homepage

    >We'd like to make it hard, not easy, to fool people and take their money and/or trust for nefarious purposes.

    Sure, but a fool and his money are still easily parted.

    >This conditions people to type their credentials into unfamiliar-but-probably-genuine forms, and makes them ripe for phishing *because* of the behavior of a password manager.

    PEBCAK, and requires the premise that the user is visiting poorly designed sites that suffer this issue, so it assumes the user is already putting themselves at risk before the event. Even my bank's crappy website combined with Chromium's built in password manager doesn't suffer from this issue.

    >People do things like turn over money and reveal personal information on the strength of trust. If the trust is misplaced, bad things happen. We want to avoid that where possible.

    The problem isn't trust, the problem is people trusting untrusted things. Sure, we can try to protect the fool, but fools are clever in their ability to avoid protections. If you unconditionally trust anything on the Internet, well, you're already in a bad spot.

    >That's how everyone from Tim Berners-Lee on down navigates the web, yourself included.

    Not really, no. I don't log in to pages that I have followed from a link, this is best practices 101. I don't unconditionally trust the claims on a page that I have followed from a link (or from a typed URL either).

    >That's less true of ...

    When I mouse over the link, I get http://xn--trustwrthy-jvi.example/, [trustwоrthy.example] so no, not really. Even so, I would not enter my credentials on either page.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 4, Interesting) by requerdanos on Monday March 12 2018, @05:16PM

    by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @05:16PM (#651430) Journal

    a fool and his money are still easily parted.

    While true, that's not justification for the technically literate failing to take reasonable precautions on behalf of the not.

    Even my bank's crappy website combined with Chromium's built in password manager doesn't suffer from this issue.

    My bank's website + firefox or pale moon does suffer from this issue. "The user is visiting poorly designed sites" is a guarantee, not merely a required premise.

    we can try to protect the fool, but fools are clever

    We should try to protect the fools. Those who insist on being fools who are fooled will be, but that won't be because we didn't try.

    I don't log in to pages that I have followed from a link, this is best practices 101.

    Educating people not to do this is part of protecting fools from foolishness, but it hasn't got very far. That's no justification for not taking other prudent measures.

    I don't unconditionally trust the claims on a page that I have followed from a link (or from a typed URL either)...When I mouse over the link, I get /xn--trustwrthy-jvi.example/

    According to Nielsen Norman Group research [nngroup.com], "complex" tasks like "navigation across pages and applications" or tasks that "involve multiple steps and operators" (basically, tasks that require thinking and not just blindly following steps by rote) are not within the abilities of over 2/3 of the adult population of first-world countries.

    Look, as you know, you're not wrong. But the arguably simple things you cite above are still demonstrated to be "too complicated" for most, and the challenge for the 5% of the population that is technically proficient (as measured by the referenced study) is to design a system navigable by the other 95% without undue risks.

    The 2016 article referred to above (which I urge anyone interested in this discussion to read), titled "The Distribution of Users’ Computer Skills: Worse Than You Think" and written by Jakob Nielsen, is summarized as "Across 33 rich countries, only 5% of the population has high computer-related abilities, and only a third of people can complete medium-complexity tasks." Over 200,000 people between the ages of 16 and 65 inclusive were tested on computer-related tasks. This is the best research available to us, and its results are that people are less capable than we usually assume. That's a hard lesson to internalize and plan from, but for those of us like you and me, who are in the top 5% and able to do arbitrary tasks on a computer that require thought and decision making, I would submit that it's our responsibility to do it because literally no one else is capable of doing so.

    If, in spite of our best efforts, fools and their money/personal info/good reputation are still parted, then so be it.

    But if we don't make that effort, then we share in responsibility for that parting. No need for that! The fools* can do it on their own.

    -----
    * My own foolish behavior has put me into this category more than once. I am saying "us", not "they."