Re: [alac] Mozilla to switch off IDNs and IRIs.

["Vittorio Bertola" <vb@xxxxxxxxxxxxxx>]

On Mar, 15 Febbraio 2005 13:44, Thomas Roessler disse:
>> Or to modify the recommendations on how IDNs are displayed, so
>> all applications clearly noted that they were showing an IDN.
>> Then, if you weren't expecting an IDN (e.g., when you thought you
>> were looking at paypal.com and saw [IDN=RU]paypal.com), you'd
>> know something was fishy.
>
> I have some doubts about users actually realizing these things -- if
> you just count the warning messages from a browser, then almost all
> for-pay wireless hotspots out there look fishy.  Still, they make
> money.

In Italy, my local telecom provider has just been acquired by a previously
unknown company, whose only business was selling premium telephone numbers
to be then used by spyware/adware to force your modem to dial them up, and
you to pay hundreds of euros in unwanted telephone bills each month
(because you didn't read the notices that your browser was popping up, did
you?). They were making revenues of many million euros per month.

Bottom line: don't rely purely on user education, it won't work for the
masses, not until many years from now.

For the rest... is "I told you" a reasonable comment? I think that having
a purely liberal approach to IDNs, in which everyone can register IDN
strings without any check or equivalence table and then, if there are
problems, you can complain later by using UDRP, will not work in practice.
If the equation "IDNs = security risk" arises (as it's happening now),
people would rather stop the adoption of IDNs or disable them in their
browsers than run this kind of risks. (Look at how many people still don't
trust e-commerce!)
-- 
vb.               [Vittorio Bertola - v.bertola [a] bertola.eu.org]<------
http://bertola.eu.org/  <- Vecchio sito, nuovo toblòg...

>
> Also, this approach won't help against the reverse substitution --
> imagine some Russian domain name where the lowercase cyrillic a is
> replaced by a latin one.
>
>> I'm not sure setting up increasingly complicated tables of what
>> registration blocks what others is the answer.
>
> I agree.
>
> Still, the question is on the table if the "one language per name"
> rule from ICANN's IDN guidelines actually works (or even can work),
> and to what extent it's actually being implemented (or, maybe, to
> what extent it's implementable).
>
>> who just saw the folks behind this IDN attack
>
> Which conference? ;-)
>
> --
> Thomas Roessler · Personal soap box at <http://log.does-not-exist.org/>.
>
>