Hello Reindl,
2014.02.22 17:03, Reindl Harald wrote:
Am 22.02.2014 15:47, schrieb Rimas Kudelis:
[1] http://en.wikipedia.org/wiki/.%D1%80%D1%84 . Note how this looks hardly readable compared to http://en.wikipedia.org/wiki/.%D1%80%D1%84
and now look exactly what happens if you click on the second one for a short moment you see in the browser exactly the same a for the first, technically the second URL don't exist
the complete web was and is ASCII in case of domains and URLs on any lowlevel you only have punnycode and ASCII ecnodings
frankly the idea to allow special chars with technical tricks in domains was the largest mistake of the last 20 years
what people mostly do not realize is the security impact frankly i can register a punnycode domain for the user in the addressbar looking like a well known one and use that for phising attacks including a valid and accepted certificate - that is why not that long ago Firefox switched back to display Punnycode as the first attacks of this sort appeared, now it's again the dangerous way
of course, security is important. But it's not the only thing that matters. HTML e-mails were, and perhaps still are, considered insecure, but Roundcube supports them and takes every precaution it can to avoid these security issues. With browsers and unicode domains, the case is somewhat similar: when there is no regulation, issues you are talking about might of course arise. That's why many TLD registries have implemented strict rules on which Unicode characters are and which aren't allowed in domain names registered under particular TLD's. For example, in Lithuanian (.lt) zone, only these IDN's are allowed, which are composed of "usual" ASCII and specific Lithuanian letters, but not anything else. You cannot register a domain name containing a Cyrillic letter under .lt zone. IIRC, browsers have whitelists of such zones and they don't blindly enable punycode for all zones, but only for specific ones, which enforce such strict rules.
Rimas