On 12/02/12 00:09, Masataka Ohta wrote: > Neil Harris wrote: > >> Techniques to deal with this sort of spoofing already exist: see >> >> http://www.mozilla.org/projects/security/tld-idn-policy-list.html > It does not make sense that .COM allows Cyrillic characters: > > http://www.iana.org/domains/idn-tables/tables/com_cyrl_1.0.html > > i script of a domain name is Cyrillic. > > Domain names do not have such property as script. > > Is the following domain name: > > CCC.COM > > Latin or Cyrillic? > >> for one quite effective approach. > The only reasonable thing to do is to disable so called > IDN. > > Masataka Ohta > > PS > > Isn't it obvious from the page you referred that IDN is > not internationalization but an uncoordinated > collection of poor localizations? >
I'm not a flag-waver for IDN, so much as a proponent of ways to make IDN safer, given that it already exists. Lots of people have thought about this quite carefully. See RFC 4290 for a technical discussion of the thinking behind this policy, and RFC 5992 for a policy mechanism designed to resolve the problem you raised in your example above. You will notice that the .com domain does not appear on the Mozilla IDN whitelist. -- N.