[RCD] URLs with 8bit chars?

Rimas Kudelis rq at akl.lt
Sat Feb 22 20:36:04 CET 2014


Hello Reindl,

2014.02.22 17:03, Reindl Harald wrote:
> Am 22.02.2014 15:47, schrieb Rimas Kudelis:
>> [1] http://en.wikipedia.org/wiki/.%D1%80%D1%84 . Note how this looks hardly readable compared to
>> http://en.wikipedia.org/wiki/.рф
> and now look exactly what happens if you click on the second one
> for a short moment you see in the browser exactly the same a for
> the first, technically the second URL don't exist
>
> the complete web was and is ASCII in case of domains and URLs
> on any lowlevel you only have punnycode and ASCII ecnodings
>
> frankly the idea to allow special chars with technical tricks
> in domains was the largest mistake of the last 20 years
>
> what people mostly do not realize is the security impact
> frankly i can register a punnycode domain for the user
> in the addressbar looking like a well known one and use
> that for phising attacks including a valid and accepted
> certificate - that is why not that long ago Firefox
> switched back to display Punnycode as the first attacks
> of this sort appeared, now it's again the dangerous way

of course, security is important. But it's not the only thing that 
matters. HTML e-mails were, and perhaps still are, considered insecure, 
but Roundcube supports them and takes every precaution it can to avoid 
these security issues. With browsers and unicode domains, the case is 
somewhat similar: when there is no regulation, issues you are talking 
about might of course arise. That's why many TLD registries have 
implemented strict rules on which Unicode characters are and which 
aren't allowed in domain names registered under particular TLD's. For 
example, in Lithuanian (.lt) zone, only these IDN's are allowed, which 
are composed of "usual" ASCII and specific Lithuanian letters, but not 
anything else. You cannot register a domain name containing a Cyrillic 
letter under .lt zone. IIRC, browsers have whitelists of such zones and 
they don't blindly enable punycode for all zones, but only for specific 
ones, which enforce such strict rules.

Rimas


More information about the dev mailing list