Unicode 7.0.0, (combining) Hamza Above, and normalization
Shawn.Steele at microsoft.com
Fri Aug 8 02:36:24 CEST 2014
> Well, maybe and maybe not. Some of the users of this protocol are naïve users of it -- they don't even know they're using a protocol.
> It might be (I don't yet have an opinion) that doing things in a way that is less likely to lead to attacks against those people is worth making > either the protocol or the protocol-implementation advice more complicated. Presumably, implementers have a greater reason to become > familiar with the picky exceptional cases.
I think it's dangerous to assume that fixing this lessens any risk of any attacks. It was mentioned in another mail that if Unicode had picked a different name this may not have even been noticed. There are likely many similar-looking things that fit in a similar bucket and have escaped notice. IMO thinking that anything is more secure by clamping down on this one character is a bit naïve.
More information about the Idna-update