Proposed new Firefox IDN display algorithm

Yedidyah Bar-David didi at isoc.org.il
Sun Feb 5 08:17:18 CET 2012


Hello all, Gervase,

On Sat, Feb 04, 2012 at 04:27:00PM +0000, Gervase Markham wrote:
> Displaying the A-label has the significant advantage of removing the
> potentially confusable string from the user's view and replacing it
> with something which has no chance of being confused with any other
> normally-used domain, while otherwise providing minimal disruption
> to their browsing experience. I'm not sure I could write an error
> message about this that my Grandma could understand, and I'm not
> sure what action I would recommend that she take when viewing it
> anyway.

While the entire policy is significant, important, and worth considering,
this specific point, I think, is what some people here do not agree with,
and I do not think the Mozilla project so far managed to convince about.

"Displaying the A-label has the significant advantage of removing the
potentially confusable string from the user's view" is obviously correct,
but so is replacing it with question marks, its base64 encoding, whatever.
By choosing specifically the A-label, you implicitely say to yourself
something along the lines of "it's still similar enough to the U-label
so that if we were wrong and should have actually showed the U-label,
there is no big harm done". Well, at least that's my understanding.
Others already explained how wrong this is.

The solution to "The grandma problem" isn't by showing A-labels or
anything of that kind, IMO. Mozilla/Firefox manage to invent very creative
complexes of slowdowns to try and prevent users from entering sites that
are deemed insecure, including stuff which takes a rather long process to
get around if and when needed (which does happen, but this isn't the place
to discuss this). I do not buy the "I'm not sure I could write an error
message" point. You might not be able to write something that users will
read, no matter how well you phrase your message, but you _can_ slow them
down in any number of other ways which you already use.

IMO the only solution to "The Grandma Problem" is by education. Normally,
grandma's do not go by themselves to a computer store, get one, order some
kind of Internet connection, connect, then search for their bank account
login page and login. Someone helps them with that. That someone should
make sure to save bookmarks for the most important places this grandma
uses, and explain very well that she should only use these bookmarks, and
never press links she sees on the web/mail/etc. I do realize this isn't
a complete solution, but so isn't the A-label one - crooks that manage to
make people send their passwords to a confusingly-similar page will also
manage to do so if A-labels are shown. At least some of them. And as you
said above, this Isn't Your Fault.

All of the above is just my opinion. I am not an expert in any relevant
field.
-- 
Didi



More information about the Idna-update mailing list