Browser IDN display policy: opinions sought

Gervase Markham gerv at mozilla.org
Wed Dec 21 12:57:26 CET 2011


On 19/12/11 16:55, Paul Hoffman wrote:
> In this case, however, the "responsible policy" is limited to TLDs
> registering SLDs. People have already pointed out on this thread that
> Firefox's restriction on script-confusables only goes one layer down,
> and that for LDH labels, Firefox (and all other browsers) don't do
> anything about names like
> www.bankofamerica.com.deposits.index-action.me.

And I have responded that this is not your problem; we are tackling that
sort of thing via other means (such as domain highlighting).

> One way, which you have rejected earlier in this thread, is to simply
> display all IDNs as Unicode (where the display is possible), just the
> same way you display all possibly-fraudulent LDH labels. That would
> make them all first-class. If you choose to do some checking on the
> domain names for possible fraud based on other heuristics (as Firefox
> and all other browsers do), and then show an interstitial warning or
> change the navigation chrome in some way, you can do that for IDNs as
> well *following the same rules you use for non-IDN names*.

(For those not familiar: Firefox can use various data sources, but by
default uses the Google SafeBrowsing list, to put up warnings whenever a
site on the list is encountered.)

> If you want to get additional heuristics from TLDs about policies to
> help you decide when you should add a warning, the technical
> community can talk about how to make that happen in a way that would
> be useful to application vendors. (So could ICANN, but I suspect that
> would be a waste of everyone's time.)

Could you expand on how that might happen?

Gerv


More information about the Idna-update mailing list