Browser IDN display policy: opinions sought

Paul Hoffman phoffman at imc.org
Wed Dec 21 16:24:43 CET 2011


On Dec 21, 2011, at 3:57 AM, Gervase Markham wrote:

> On 19/12/11 16:55, Paul Hoffman wrote:
>> In this case, however, the "responsible policy" is limited to TLDs
>> registering SLDs. People have already pointed out on this thread that
>> Firefox's restriction on script-confusables only goes one layer down,
>> and that for LDH labels, Firefox (and all other browsers) don't do
>> anything about names like
>> www.bankofamerica.com.deposits.index-action.me.
> 
> And I have responded that this is not your problem; we are tackling that
> sort of thing via other means (such as domain highlighting).

It is "our problem" in that you are introducing multiple ways to alert users about questionable domain names, where many valid IDNs get worse display than all-ASCII names that are clearly fraudulent. The proposal people are making is that, if your motivation for showing Punycode is that there might be fraud, that you instead use the same alert technologies that you { are | will be } using for all-ASCII names that you believe are fraudulent.

>> One way, which you have rejected earlier in this thread, is to simply
>> display all IDNs as Unicode (where the display is possible), just the
>> same way you display all possibly-fraudulent LDH labels. That would
>> make them all first-class. If you choose to do some checking on the
>> domain names for possible fraud based on other heuristics (as Firefox
>> and all other browsers do), and then show an interstitial warning or
>> change the navigation chrome in some way, you can do that for IDNs as
>> well *following the same rules you use for non-IDN names*.
> 
> (For those not familiar: Firefox can use various data sources, but by
> default uses the Google SafeBrowsing list, to put up warnings whenever a
> site on the list is encountered.)

That seems quite reasonable to me.

>> If you want to get additional heuristics from TLDs about policies to
>> help you decide when you should add a warning, the technical
>> community can talk about how to make that happen in a way that would
>> be useful to application vendors. (So could ICANN, but I suspect that
>> would be a waste of everyone's time.)
> 
> Could you expand on how that might happen?

Andrew already proposed maybe a new RRtype in which a zone can publish its script policy. That one attracts me most so far because it keeps DNS-related decisions in the DNS and uses clear TTL semantics for caching.

--Paul Hoffman


More information about the Idna-update mailing list