At 1:14 PM +0100 2/23/09, Jean-Marc Desperrier wrote: >Paul Hoffman wrote: >>TLD registries ask which language a name is in; some then do some >>filtering based on what characters they think are used by particular >>languages. This is far from a science and fails miserably for most >>European languages. > >If it fails, then report it to secur...@mozilla.org as per the policy here : >http://www.mozilla.org/projects/security/tld-idn-policy-list.html
Jean-Marc, you have fallen for Gerv's wishful thinking and security theater. There are multiple TLDs on that list that have policies that say *nothing* about preventing homograph spoofing. >If the failure is confirmed and not solvable, then i18n should be disable for >that TLD. The failure listed on that page does not match the policies listed for the TLDs. That is, if a TLD never said that the had a policy relating to confusing homographs, just that it had a policy of some sort, there is nothing to report. Note how few even list the allowed characters (and, in one important case, the character list does not exist at the URL given). >If you feel your report gets wrongly ignored or that mozilla.org acknowledges >it but fails to take proper action to disable i18n for that TLD, then feel >free to report it on the mozilla.dev.security newsgroup/mailing-list. You completely misunderstood my message: the failure is in Mozilla thinking that asking a registrant to say what language they are registering in will achieve any significant security. I laugh along with Eddy on this. >But don't complain that the current system doesn't work and that mozilla.org >does nothing about it, without precisely explaining how it fails and without >giving to mozilla.org an opportunity to correct the problem. I didn't say "mozilla.org does nothing about it": you are doing something about it. You're tenaciously sticking to a silly bit of security theater that makes the users' experience worse. To me, that's a failure, but it seems like you think that it is worth it. Again: it is not clear how you can say that www.éxample.com is unsafe but www.éxample.org is safe given what is said on that page. --Paul Hoffman -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
