International URLs Pass First Test

Off the Rails writes "The BBC reports on the results of a successful test of non-ASCII domain names on Internet-equivalent hardware (pdf) carried out last October. The next stage is to plug the system into the net, and if it still works, it could go live sometime next year. 'Early work on the technical feasibility of using non-English character sets suggested that the address system would cope with the introduction of international characters tests were called for to ensure this was the case ... Also needed are policy decisions by Icann on how the internationalised domain names fit in and work with the existing rules governing the running of the address books. Icann is under pressure to get the international domain names working because some nations, in particular China, are working on their own technology to support their own character sets.'"

Re:In practice it means "national" URLs.

[leuk_he]

umlaut is hardly a problem if you set the use keyboard to üs-ïnternätional. But asian/hebrew/arabic/hebrew charcacter are much more difficult to enter... in my expierence.

But you will still be able to click them. IDN support is available in most popular browser (although disbled for security issues.)

Re:Phishing just got a lot more interesting

[slart42]

>Imaging all the new ways to spell bank0famerlca.com.

This is already happening. A common example is the cyrillic lower case "?", which looks almost exactly like the latin "a" in most fonts.

See http://en.wikipedia.org/wiki/IDN_homograph_attack [wikipedia.org] for more information.

Re:Phishing just got a lot more interesting

[colfer]

Preventing that has been part of Mozilla's IDN implementation, and I assume other browsers have addressed (ha) it as well. If a TLD, like .ie, Ireland, has a policy against phishing, and a table of lookalike letters, then Firefox will present the IDN address in the address bar in its own, non-English, language. Otherwise, Firefox displays the address in its IDN-encoded form, which is all ASCII. AFAIK, from reading bug reports on Mozilla, this is already in force.

Re:Phishing

[evought]

This has actually been discussed to some extent for years. One method is to only allow domains to be registered or displayed in a single language character set, such that a domain name can use latin characters or greek characters, but not both. This can be enforced at registration or when displayed in the browser (the browser can highlight improper URLs). This does not prevent attacks where the entire spelling of the domain is available in an alternate character set. One solution is for the browser to somehow tell the user what language a URL is written in.

Here is a detailed description of how IE handles this, [msdn.com] and also a w3c page [w3.org] discussing general techniques and different browsers. An interesting note is the possible use of the fraction slash to add fake urls to a domain name. Of course, at the end of the day, standard phishing protection applies to domains which slip through the net.

Re:Phishing just got a lot more interesting

[colfer]

Here are the references on IDN puny-code spoofing prevention settings in Mozilla. http://kb.mozillazine.org/Network.IDN.blacklist_ch ars [mozillazine.org] http://kb.mozillazine.org/Network.IDN.whitelist.* [mozillazine.org] http://kb.mozillazine.org/Network.enableIDN [mozillazine.org] http://kb.mozillazine.org/Network.IDN_show_punycod e [mozillazine.org] For example. .jp Japan is whitelisted but .ie Ireland is not. There was a debate between people that wanted to disable or hobble IDN/puny-code, for security, and people who wanted to internationalize Mozilla completely. The resulting blacklist/whitelist and configurability was a compromise.

Re:Dibs!

[kimba]

I got dibs on sêx.com!

Umm, you do realise this was registered in 2005? Such domains already exist and can be registered today.

The technical test is about having Internationalised Domain Names at the top-level, or root, of the DNS. So then you can have .sêx rather than .sex.

Re:Balkanising the internet?

[kimba]

My concern would be for all the internet filtering and firewalling software which explicitly only allows ASCII in HTTP headers.

IDN encoding is pure ASCII, in a similar way that MIME email attachments are. The protocol layer never sees anything other than letters, numbers and hyphens. All IDN encoded domains are prepended with "xn--" so that end-user interfaces can tell them apart and convert them back and forth.

Re:Maybe not..

[Petrushka]

Just about any e-mail service should enable the use of non-ascii characters. Any halfway decent e-mail client will; if you're using Thunderbird or Mail or Pegasus, just set the character set to UTF-8; I believe Pine allows UTF-8 too. (Personally I can't imagine any reason for not using UTF-8 as default; I use it all the time, even though almost all of my e-mails are in English.) Most web-interfaces allow it as well: Gmail certainly does, for example; I'm pretty sure Yahoo does.