[RCD] URLs with 8bit chars?

Reindl Harald h.reindl at thelounge.net
Sat Feb 22 16:03:45 CET 2014


Am 22.02.2014 15:47, schrieb Rimas Kudelis:
> [1] http://en.wikipedia.org/wiki/.%D1%80%D1%84 . Note how this looks hardly readable compared to
> http://en.wikipedia.org/wiki/.рф

and now look exactly what happens if you click on the second one
for a short moment you see in the browser exactly the same a for
the first, technically the second URL don't exist

the complete web was and is ASCII in case of domains and URLs
on any lowlevel you only have punnycode and ASCII ecnodings

frankly the idea to allow special chars with technical tricks
in domains was the largest mistake of the last 20 years

what people mostly do not realize is the security impact
frankly i can register a punnycode domain for the user
in the addressbar looking like a well known one and use
that for phising attacks including a valid and accepted
certificate - that is why not that long ago Firefox
switched back to display Punnycode as the first attacks
of this sort appeared, now it's again the dangerous way

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20140222/1cd045ff/attachment.sig>


More information about the dev mailing list