Mozilla Drops Support for International Domains

[domainscot]

http://slashdot.org/article.pl?sid=05/02/15/1922215&from=rss

Posted by Zonk on Tuesday February 15, @03:06PM
from the that-was-easy dept.
tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

 

[datat]

Damm - Thats an other load of domains that will never sell.

I guess it had to go one way or the other. Very few ever get type ins.

Unless IE bring out an idn browser - which I guess a lot are hoping for.

 

[rawkinrich]

This ain't good.

 

[dtobias]

As far as I am aware, this is just a temporary move on their part until they figure out a more robust manner of dealing with the issue by reenabling IDN support with some sort of on-screen warning in cases where a use of IDNs might represent a phishing attack.

 

[rawkinrich]

As far as I am aware, this is just a temporary move on their part until they figure out a more robust manner of dealing with the issue by reenabling IDN support with some sort of on-screen warning in cases where a use of IDNs might represent a phishing attack.

Can't agree more.

IDN's can be very good, but can also be very bad - a system needs to be sorted for browsers to either determine this or warn a user about the domain.

 

[Rubber Duck]

Can't agree more.

IDN's can be very good, but can also be very bad - a system needs to be sorted for browsers to either determine this or warn a user about the domain.

The amount of time Microsoft is taking to come up with an IDN enabled browser, their version ought to be able to cope with Armageddon.

Regards
Dave Wrixon

 

[mole]

IDN's can be very good, but can also be very bad - a system needs to be sorted for browsers to either determine this or warn a user about the domain.

Yeah, IDN's are more local friendy, but to do that they will have to tear apart the very fabric of what makes the Internet so universally convergent. Hindi, Thai, Arabic, Modern Chinese, Traditional Chinese and hundreds of other streams too long to mention.

Imagine the hundreds of thousands of sysads around the world trying to figure how to set up their email servers for this, let alone browsers on user computers, and the countless security issues that will arise because of configuration boo boos.

Unicode is there for a reason - not the best reason, but there is a reason.

I'm all for new namespace, but 한글.kr 日本語.jp مصريين.com 中国互联网络信息中心.cn đäňîċ-ţÃ¥ŝŧďómãĵņ.de is pushing flexibility a bit much.

Might as well go buy some New.Net domains.

 

[James]

Might as well go buy some New.Net domains.

:cheeky: tried that :emba:

 

[Rubber Duck]

Yeah, IDN's are more local friendy, but to do that they will have to tear apart the very fabric of what makes the Internet so universally convergent. Hindi, Thai, Arabic, Modern Chinese, Traditional Chinese and hundreds of other streams too long to mention.

Imagine the hundreds of thousands of sysads around the world trying to figure how to set up their email servers for this, let alone browsers on user computers, and the countless security issues that will arise because of configuration boo boos.

Unicode is there for a reason - not the best reason, but there is a reason.

I'm all for new namespace, but 한글.kr 日本語.jp مصريين.com 中国互联网络信息中心.cn đäňîċ-ţÃ¥ŝŧďómãĵņ.de is pushing flexibility a bit much.

Might as well go buy some New.Net domains.

Mole,

These domains are already up and functioning and not causing any real distress to the DNS.

All IDN characters are Unicode. It is ASCII that the DNS requires and the IDNs are encoded into the basic ASCII character set. That's the whole point.

This is only a temporary glicht. Unfortunately, the criminal fraternity seem to have much more imagination than the rest of the world.

Firefox and Thunderbird had made the need to set up anything clever absolutely unnecessary. Far better than IE which kept telling me sites were down when they weren't. Presumably in Firefox 1.1, all that will happen is there will be a little routine than pops up a warning message to tell you that you are entering an IDN site, until such time as you choose to switch it off.

I started collecting IDN when disillusioned with the high prices for dot com drops, and the general lack of interest in my dot net investments. I agree with you, however, that with the change in the dot net contract, there will be a lot of interest this year.

Regards
Dave Wrixon

Regards
Dave Wrixon

 

[SomeLin]

How do we type the IDN characters on URL line?

It's a biggest point, IDN domain names can not receive any traffic from type-in gateway.. (bah)

 

[Rubber Duck]

How do we type the IDN characters on URL line?

It's a biggest point, IDN domain names can not receive any traffic from type-in gateway.. (bah)

Input into the address bar of an enbled browser such as Firefox is done in just the same way was as into to any other application. If you only have an English Keyboard obviously access to the extended character sets is difficult.

The easiest way for us to input characters is to cut and paste. This can be done by looking up words in an online dictionary or translation service such as Google, or Babelfish. Alternately, characters can be created in Word through the insert symbol command.

For English speakers all this is obviously very difficult, but don't forget that users of Asiatic Languages will readily have all this to hand. There are already billions of pages on the internet in Chinese Characters. The whole point of IDN is to allow non-romanic alphabet users to do what comes most naturally.

There is absolutely no reason to doubt that type-in traffic will develop in Chinese just the way it has in English. Type in traffic doesn't not come from particularly sophisticated user. Quite the reverse. I am certain that this traffic exists and will grow because I am already monitoring the process.

It not just traffic. Overture searches indicate strong growth in Chinese, Russian and Arabic keywords.

The biggest interest at the moment seems to be in Chinese provinces and cities. I think that these are of particular interest as these may allow sub-domains to be sold similar to .uk.com and .eu.com.

Hope that is of help. If you have any specific questions, please do not hesitate to ask.

Regards
Dave Wrixon

 

[Rubber Duck]

http://slashdot.org/article.pl?sid=05/02/15/1922215&from=rss

Posted by Zonk on Tuesday February 15, @03:06PM
from the that-was-easy dept.
tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

Looks like there has been a change of plan and that Firefox will continue to support IDN, but simply display the punycode in the address bar to avoid possible confusion.

http://weblogs.mozillazine.org/gerv/archives/007586.html

Regards
Dave Wrixon

 

[datat]

Sounds like a good solution in the short term. Although this could be confusing to novice users.

I wonder what ie will come with - if anything at all?

 

[stuff]

very good way to avoid fraud! You already see in ebay that the scammers try to sell domains that are very similar to other well known sites.

 

[Nexus]

This is a bad solution, but the alternative is worse. I think this is very telling:
------------------
"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," the Mozilla Foundation said in its advisory. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

The Mozilla team said that domain registrars are ignoring ICANN guidelines on IDN, and have developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks.
-----------------

If registrars are dropping the ball, shouldn't ICANN be stepping in? This is REALLY screwing the usefulness of the standard. No one needs to be told their security is worse than IE's simply because they supported a standard.

Theoretically, I wonder if the browsers themselves shouldn't just REFUSE to resolve domain names with illegal characters. I suspect this wouldn't be a good idea however, as it may put the onus in the wrong court.

~ Nexus

 

[Theo]

IDN's are a PITA.

 

[peterq]

>>>
If registrars are dropping the ball, shouldn't ICANN be stepping in? This is REALLY screwing the usefulness of the standard. No one needs to be told their security is worse than IE's simply because they supported a standard.
>>>

I agree in part. I really feel the ownous is on law enforcement agencies on this one. Registering a domain is not fraudulent. Phishing is fraudulent and we don't need any new laws to prosecute it. I can buy a lock picking set and paypal.com in cyrillic letters in the same morning-- doesn't mean I am going to steal anything in the afternoon.

I believe that out of fairness to the international community and out of fairness to those of us who own IDNs, the standard needs to be supported openly.

 

[Rubber Duck]

>>>
If registrars are dropping the ball, shouldn't ICANN be stepping in? This is REALLY screwing the usefulness of the standard. No one needs to be told their security is worse than IE's simply because they supported a standard.
>>>

I agree in part. I really feel the ownous is on law enforcement agencies on this one. Registering a domain is not fraudulent. Phishing is fraudulent and we don't need any new laws to prosecute it. I can buy a lock picking set and paypal.com in cyrillic letters in the same morning-- doesn't mean I am going to steal anything in the afternoon.

I believe that out of fairness to the international community and out of fairness to those of us who own IDNs, the standard needs to be supported openly.

Totally agree. By neglecting to update their product and leaving people to depend on add-ins, Microsoft have not only failed to ensure any form of security, but have also failed to contribute to the debate or process.

Regards
Dave Wrixon

 

[Vivvy]

we can only hope this stems the tide of the freakish mozilla revival ... just one more thing a mozilla browser WON'T do for you... when will these folks wake up and start working on a better browser, not a less useful one?

Vivvy (recovering Firefox user)

 

[Theo]

Firefox kicks IE's butt. It's faster, more secure and with lots of features. Finally Microsoft will be launching a stand-alone IE later this year.