What rules have been used for the current list of codepoints?
Erik van der Poel
erikv at google.com
Sun Dec 17 17:49:58 CET 2006
Hi Martin,
The issue is not that a company might spoof itself. It is that a
domain owner might set up a tricky subdomain like these:
http://www.paypal.de⁄_login.cgi.de
http://www.paypal.de∕_login.cgi.de
http://www.paypal.de〳_login.cgi.de
http://www.paypal.deノ_login.cgi.de
These are using the slash-lookalikes U+2044, 2215, 3033 and 30CE that
I listed at nameprep.org a while ago. It looks like Firefox has put
some protection in place for the first 3, but not for the last. Of
course, that curvy character does not really look like a slash to most
people, but maybe some would be fooled? I don't know.
Erik
On 12/17/06, Martin Duerst <duerst at it.aoyama.ac.jp> wrote:
> As for labels lower than that, I guess user agents will
> inforce that because it's difficult for them to know in
> all cases what levels are officially registered and what
> not, but I have to say that I personally don't care if
> companyA spoofs itself with a.companyA.com, where the
> first 'a' may be both Latin and Cyrillic.
More information about the Idna-update
mailing list