Mozilla Foundation has announced changes to Firefox concerning Internationalized Domain Names (IDN) to deal with homograph spoofing attacks. According to the organization, "Mozilla Foundation products now only display IDNs in a whitelist of TLDs, which have policies stating what characters are permitted, and procedures for making sure that no homographic domains are registered to two different entities."
Does anyone else think that it's not the job of a web browser to do
this? The web browser shouldn't even know about IDN details. The
system's resolver library should convert non ASCII labels to the
Punycode representation when sending querries, and convert back
after receiving responses!
Otherwise how can all my applications support IDN?
It seems like a lot of work to do and much opportunity for it to be
done inconsistently from application to application. This shim layer
will have to be inserted into every application from ping on up.
But it looks like there's a library ( http://www.gnu.org/software/libidn/ )
that is quite popular, so there is hope for a single point of management
where such things as this Mozilla whitelist need to be updated.
The less headaches there are with support cases where users can't see
decoded IDNs when they should or can see decoded IDNs when it might be
dangerous, due to out of date whitelists, the better.
Does anyone else think that it's not the job of a web browser to do
this? The web browser shouldn't even know about IDN details. The
system's resolver library should convert non ASCII labels to the
Punycode representation when sending querries, and convert back
after receiving responses!
Otherwise how can all my applications support IDN?
Because we currently have IDNA, and "A" stands for "applications".