This is

as days pass by, by Stuart Langridge

. Here I write about many things. In the past I wrote about other things but the past is past. I write code for people to play with, I write about my life on Twitter, and I write here.

On I wrote Fixing the IDN problem in Mozilla, on the subject of Musings and Software.

Most people will have come across the IDN vulnerability in Mozilla and other browsers, where www.pаypal.com was registered, with the first “a” actually being a Unicode character, а, that looks like an “a“.
I think Mozilla should fix this by displaying non-ASCII characters in the Location bar in red. So http://www.pаypal.com/ would actually look like http://www.pаypal.com/. This isn’t unfair to non-ASCII users, since their URLs won’t look weird; an entirely Russian URL would be entirely in red, and therefore wouldn’t stand out.

sil

Second thought: an IDN will, in general, be entirely composed of non-ASCII characters. Yes, yes, I know that it’s entirely possible that Valve will register HλLF-LIFE.com or similar, but I think that it’s reasonable to say: if you’re visiting an IDN with a mix of ASCII and non-ASCII characters, pop up an alert. Something like the “you are about to log into site N with username X” alert you get with username:password@domain URLs.

Senji

Unfortunately there are IDNs consisting entirely of non-ASCII characters that are still phishing attacks (because there are correspondences outside ASCII).

Also, even simple names like www.thérèse.me.uk fail your test…

Senji

Also, something is buggered up there….

“Also, even simple names like www.thérèse.me.uk fail your test…” is what I see having posted that….

Senji

Gah!

sil

Senji: hm. So, I am not right, then. Sadly, it worked when I did it, so I don’t know what I’m doing wrong…

mrben

I suggested this last month as a solution. Obviously not enough important people read my blog :(

sil

mrben: The reason I preferred my solution to yours is that yours just says “something is weird about this URL” without telling you what the weird thing is…

Senji

Hmm, and as a result of the bogosity that’s ended up in my comment your page contains some invalid UTF-8. Hmm…

In the first comment you appear to have gained an 0xC2 in the middle of both multi-byte characters, in the second one it’s even more complicated.

This website belongs to Stuart Langridge. Contact details are available. Don't eat yellow snow. Valid HTML5, at least in theory, except for the bits that aren't because I'm that futuristic that I'm ahead of the spec, oh yes. HTML5 help from Bruce Lawson, among others. Fonts from the superb FontSquirrel. End.