So it's necessary to throw the baby out with the bathwater, and tell them
never to click on a link...
That baby was ugly anyway
brandon
HAHAHA.
My $0.02 on this issue is if the message is rich text I hover over the link
and see where it actually sends me. If I don't know what that link is then
I don't click it. Not sure how long it's going to take, probably a
generation, for people to use some sense before mindlessly clicking on
stuff.
Banks and businesses that keep sensitive information in a protected area on
the web for you should start sending messages in PLAIN TEXT so you have to
copy/paste the link if you don't already have it book marked or don't want
to type it. Sure it's not all flashy and there's no nice pictures and junk
but if you get an email from your bank that's not in plain text and
contains hyperlinks then you'll know it's fake before you even read it.
My $0.02 on this issue is if the message is rich text I hover over the link
and see where it actually sends me.
idn has made this unsafe
randy
Randy Bush wrote:
My $0.02 on this issue is if the message is rich text I hover over the link
and see where it actually sends me.idn has made this unsafe
I pointed it out at IETF Munich in 1997 that with an example of:
MICROSOFT.COM
where 'C' of MICROSOFT is actually a Cyrillic character.
But, people insisted working on useless IDN.
Masataka Ohta
Oh really? How about trying this.... Go to Google and search "is my url safe":
http://www.google.com/search?q=is+my+url+safe
Now hover over that second link reportedly to faq.ssl.com and look at what
your browser reports:
http://faq.ssl.com/article.aspx?id=10068
Now look at the page code or copy/paste the URL somewhere else... Where does
that link really go?
....
http://www.google.com/url?q=http://faq.ssl.com/article.aspx%3Fid%3D10068&sa=U&ei=JcI1T_DRKJDXiAKauoSvCg&ved=0CBgQFjAB&usg=AFQjCNHSmrhtgWQczEe1j0LhdMdUW5x4LA
So much for looking at what mouse-over shows....
Adrian
Only if you find a way to keep more idiots from being born. 
I don't think anybody wants to go there. At least not on this list.
Unfortunately that's not under control of those businesses. This plain text email you sent comes across with clickable mailto and http links in your signature in most modern email clients despite you having sent it in plain text. "Helpful" email program defaults won't force people to copy and paste the URL. They just create the hyperlink for people based on the pattern in the plain text message. It seems anything beginning with www or http(s):// will be converted to a clickable link out of convenience to the user. It's always that endless struggle of security vs. convenience...
-Vinny
Techniques to deal with this sort of spoofing already exist: see
http://www.mozilla.org/projects/security/tld-idn-policy-list.html
for one quite effective approach.
-- Neil
My $0.02 on this issue is if the message is rich text I hover over the link
and see where it actually sends me.idn has made this unsafe
Techniques to deal with this sort of spoofing already exist: see
IDN Display Algorithm - MozillaWiki
for one quite effective approach.
and grandma is gonna use this? with internet exploder or safari?
let's try to remember that there are normal human beings on the net
these years (bummer that, eh?), and this list is kind of about serving
them.
randy
The internet was way cooler before that
chris
Yes, and a lot of us could run open relays on our SMTP servers to help each other out, and a full usenet feed fit on a plain ol' 9600 baud link.
But no way I could have at home the kind of bandwidth I can get today for a very reasonable price, and so on.
-jav
>>>> My $0.02 on this issue is if the message is rich text I hover over the link
>>>> and see where it actually sends me.
>>> idn has made this unsafe
> Techniques to deal with this sort of spoofing already exist: see
> IDN Display Algorithm - MozillaWiki
> for one quite effective approach.
Nice. Basically, unless the TLD registrar has a public policy that basically says
"We don't allow names with cyrillic C to collide with MICROSOFT", their hostnames
all get displayed as xn--gobbledygook.
(The actual policy for the .UA registrar is more subtle. They *do* in fact
allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph
users. However, they require at least one character that's visually unique to
Cyrillic in the domain name. They also don't allow mixed Cyrillic/Latin
scripts in one domain name). Or so Hostmaster LLC | IDN domains
tells me after Google Translate gets done with it. 
and grandma is gonna use this? with internet exploder or safari?
If the manufacturers of IE and Safari can't come up with a similar policy,
then the people at Mozilla can use "We protect you from malicious names"
as a marketing diffferentiation feature.
Unfortunately that's not under control of those businesses. This plain text
email you sent comes across with clickable mailto and http links in your
signature in most modern email clients despite you having sent it in plain
text. "Helpful" email program defaults won't force people to copy and paste
the URL. They just create the hyperlink for people based on the pattern in
the plain text message. It seems anything beginning with www or http(s)://
will be converted to a clickable link out of convenience to the user. It's
always that endless struggle of security vs. convenience...
At least it is what is says, and the effect is precisely the same as if one copied and pasted the link into the browser.
What is truly evil is non text/plain email. Anyone who permits or assists in the rendering of non-plaintext email deserves whatever befalls them -- and they should not be permitted zero-liability for their stupidity and ignorance.
They end-user is of course entitled to cross-claim against the manufacturer of the defective system or device which rendered the message in a deceptive way (such as Dell and Microsoft in particular).
Neil Harris wrote:
Techniques to deal with this sort of spoofing already exist: see
It does not make sense that .COM allows Cyrillic characters:
http://www.iana.org/domains/idn-tables/tables/com_cyrl_1.0.html
i script of a domain name is Cyrillic.
Domain names do not have such property as script.
Is the following domain name:
CCC.COM
Latin or Cyrillic?
for one quite effective approach.
The only reasonable thing to do is to disable so called
IDN.
Masataka Ohta
PS
Isn't it obvious from the page you referred that IDN is
not internationalization but an uncoordinated
collection of poor localizations?
(The actual policy for the .UA registrar is more subtle. They *do* in fact
allow "U+0441 Cyrillic Small Letter ES" which is visually a C to us Latin-glyph
users. However, they require at least one character that's visually unique to
Cyrillic in the domain name.
Unique within what?
Is a Cyrillic character, which looks like Latin E with diaeresis,
a unique Cyrillic character?
Is "CYRILLIC CAPITAL LETTER GHE", which looks like Greek Gamma,
a unique Cyrillic character?
Is Greek Gamma, which looks like "CYRILLIC CAPITAL LETTER GHE",
a unique Greek character?
They also don't allow mixed Cyrillic/Latin
scripts in one domain name).
Is a Russian word containing no unique (unique to ASCII)
Cyrillic characters encoded as Latin character using ASCII,
even though a Russian word containing unique (whatever unique
means) Cyrillic character encoded as Cyrillic characters?
It is obvious that such confused scheme encourage phishing
a lot.
If the manufacturers of IE and Safari can't come up with a similar policy,
then the people at Mozilla can use "We protect you from malicious names"
as a marketing diffferentiation feature.
The only protection is to disable IDN.
Masataka Ohta
Nice. Basically, unless the TLD registrar has a public policy that basically says
"We don't allow names with cyrillic C to collide with MICROSOFT", their hostnames
all get displayed as xn--gobbledygook.
More or less. ICANN has been wrestling with the lookalike character
issue in domain names for about a decade. I think it's fair to say
that everyone agrees that all solutions are less than totally
satisfactory.
R's,
John
I'm not a flag-waver for IDN, so much as a proponent of ways to make IDN
safer, given that it already exists.
Lots of people have thought about this quite carefully. See RFC 4290 for
a technical discussion of the thinking behind this policy, and RFC 5992
for a policy mechanism designed to resolve the problem you raised in
your example above.
You will notice that the .com domain does not appear on the Mozilla IDN
whitelist.
-- N.
yes, domain names that cannot be typed in with any keyboard/charset on any computer out there, excellent idea, devide and conquerer, i wonder who came up with that idiotic plan again, probably the ITU or one of their infiltrants in icann.
how about, we simply don't code any software or adjust any platforms to support it, if nobody uses it, no problem 
(or just deliberately break it as its nothing more than a "devide and conquerer" attempt of the UN anyway 
as if it wasn't annoying enough already that some n00bs are using URI's with characters you can't type in (and in most cases don't even display correctly), icann has a better idea! hostnames you can't type in!
all those struggeling regimes that want to keep local control over our internets are gonna be so proud of them
(and that despite the fact that it's perfectly well possible to write -any language out there- in the first 7 bits of ascii)
yay, a step back in time, everyone back to their cave and write on the wall with a piece of stone in characters nobody can read!
so far for progress...
we used to develop stuff so that people could communicate with one another, whatever went wrong, when did it move to "preventing people from communicating with one another"...
i don't have keyboards with a million or so keys on it, do you?
and no, i don't know the alt-codes for weird russian or japanese crap.
if we wanted local shit only, we could just have stuck with tv and radio and telephones and fax machines.
so; we're not implementing any of that, we'll deliberately make any software we produce go nuts on it and cause errors all over the place, and we strongly urge any nerd out there to do exactly the same.
And it's *equally* possible to write "any language out there" using a
7-bit encoding of the Cyrillic character set.
Let me know how you'd enjoy doing that.
Oh, that would suck because Cyrillic isn't very similar to your native
character set? Welcome to the way the vast majority of the world feels.