International URLs Pass First Test 159
Off the Rails writes "The BBC reports on the results of a successful test of non-ASCII domain names on Internet-equivalent hardware (pdf) carried out last October. The next stage is to plug the system into the net, and if it still works, it could go live sometime next year. 'Early work on the technical feasibility of using non-English character sets suggested that the address system would cope with the introduction of international characters tests were called for to ensure this was the case ... Also needed are policy decisions by Icann on how the internationalised domain names fit in and work with the existing rules governing the running of the address books. Icann is under pressure to get the international domain names working because some nations, in particular China, are working on their own technology to support their own character sets.'"
Re:In practice it means "national" URLs. (Score:3, Informative)
But you will still be able to click them. IDN support is available in most popular browser (although disbled for security issues.)
Re:Phishing just got a lot more interesting (Score:4, Informative)
This is already happening. A common example is the cyrillic lower case "?", which looks almost exactly like the latin "a" in most fonts.
See http://en.wikipedia.org/wiki/IDN_homograph_attack [wikipedia.org] for more information.
Re:Phishing just got a lot more interesting (Score:3, Informative)
Re:Phishing (Score:3, Informative)
This has actually been discussed to some extent for years. One method is to only allow domains to be registered or displayed in a single language character set, such that a domain name can use latin characters or greek characters, but not both. This can be enforced at registration or when displayed in the browser (the browser can highlight improper URLs). This does not prevent attacks where the entire spelling of the domain is available in an alternate character set. One solution is for the browser to somehow tell the user what language a URL is written in.
Here is a detailed description of how IE handles this, [msdn.com] and also a w3c page [w3.org] discussing general techniques and different browsers. An interesting note is the possible use of the fraction slash to add fake urls to a domain name. Of course, at the end of the day, standard phishing protection applies to domains which slip through the net.
Re:Phishing just got a lot more interesting (Score:2, Informative)
Re:Dibs! (Score:3, Informative)
Umm, you do realise this was registered in 2005? Such domains already exist and can be registered today.
The technical test is about having Internationalised Domain Names at the top-level, or root, of the DNS. So then you can have
Re:Balkanising the internet? (Score:3, Informative)
IDN encoding is pure ASCII, in a similar way that MIME email attachments are. The protocol layer never sees anything other than letters, numbers and hyphens. All IDN encoded domains are prepended with "xn--" so that end-user interfaces can tell them apart and convert them back and forth.
Re:Maybe not.. (Score:3, Informative)