On Wed, Feb 09, 2005 at 01:04:53PM -0000, Randal, Phil wrote: > I've verified that the flaw exists on Windows XP SP2 fully patched IE 6 > with Verisign's plugin from http://www.idnnow.com/index.jsp. I think it's incorrect to blame browsers for this bug. It's a flaw in the design of IDN, which was obvious from the very beginning. In Unicode set there are many characters which look very similar, not only hex 0430; dec 1072, CYRILLIC SMALL LETTER A which was used in fake "paypal" example. The "fixes" proposed so far rely on switching off the IDN support in browsers, which only confirms, that it's not a bug, it's a feature. What are IDN-enabled browsers supposed to do, anyway? Should they display a special warning in case a user enters an IDN domain name? Or a different "padlock" icon in case of SSL? People, who legally bought those names would be then treated unfairly. I think it's up to the browsers' authors to invent some nonobtrusive way to notify the user, that he/she entered an IDN-enabled site (like a small icon in the address or status bar; maybe an additional address bar, which would show the real punycode URL; etc.), but let's not forget that IDN was invented that way. Marcin
