On Fri, Dec 16, 2022 at 01:18:12PM -0500, Timothe Litt via curl-library wrote: > And/or the callback registration could specify "all domain names", "Just IDN" > -
The browsers (at least Firefox) do something subtle but pretty useful for avoiding spoofing. Based on the name registration policies of the TLD being used, they either show the IDN as expected in the URL bar, or just show the ugly punycode version of the name. TLDs with policies that forbid names that could lead to confusion (homographic attacks) get the desired behaviour (of seeing the IDN name) but those without policies, or with policies that could lead to confusion get the punycode version, making it obvious that some spoofing may have gone on to get you to that web page. Mozilla's original policy can be seen here: https://www-archive.mozilla.org/projects/security/tld-idn-policy-list They've amended that policy since to allow displaying IDN in some cases even on those TLDs with bad or nonexistent policies. This only happens if all the characters in the TLD come from the same script. If a TLD mixes, for example, Cyrillic and Latin characters, it's displayed as punycode, but all Cyrillic is shown in all its UNICODE glory. The idea is that people (who can read that script) will recognize the different characters within that script and be able to tell them apart, and there won't be any mixing of similar-looking characters within a single domain name. That policy can be seen at https://wiki.mozilla.org/IDN_Display_Algorithm Lots of thought has been given to this problem already (Mozilla seems to have implemented the first policy 17 years ago), and curl could take advantage of that. But, since it's not a browser it can't use the same means of notifying the user (displaying punycode in the URL bar), but some viable alternatives to that have already been brought up here. Dan -- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.se/mail/etiquette.html