Hello Reindl,
2014.02.22 17:03, Reindl Harald wrote:
Am 22.02.2014 15:47, schrieb Rimas Kudelis:
[1] http://en.wikipedia.org/wiki/.%D1%80%D1%84 . Note how this looks hardly
readable compared to
http://en.wikipedia.org/wiki/.рф
and now look exactly what happens if you click on the second one
for a short moment you see in the browser exactly the same a for
the first, technically the second URL don't exist
the complete web was and is ASCII in case of domains and URLs
on any lowlevel you only have punnycode and ASCII ecnodings
frankly the idea to allow special chars with technical tricks
in domains was the largest mistake of the last 20 years
what people mostly do not realize is the security impact
frankly i can register a punnycode domain for the user
in the addressbar looking like a well known one and use
that for phising attacks including a valid and accepted
certificate - that is why not that long ago Firefox
switched back to display Punnycode as the first attacks
of this sort appeared, now it's again the dangerous way
of course, security is important. But it's not the only thing that
matters. HTML e-mails were, and perhaps still are, considered insecure,
but Roundcube supports them and takes every precaution it can to avoid
these security issues. With browsers and unicode domains, the case is
somewhat similar: when there is no regulation, issues you are talking
about might of course arise. That's why many TLD registries have
implemented strict rules on which Unicode characters are and which
aren't allowed in domain names registered under particular TLD's. For
example, in Lithuanian (.lt) zone, only these IDN's are allowed, which
are composed of "usual" ASCII and specific Lithuanian letters, but not
anything else. You cannot register a domain name containing a Cyrillic
letter under .lt zone. IIRC, browsers have whitelists of such zones and
they don't blindly enable punycode for all zones, but only for specific
ones, which enforce such strict rules.
Rimas
_______________________________________________
Roundcube Development discussion mailing list
[email protected]
http://lists.roundcube.net/mailman/listinfo/dev
