There are some issues that I didn’t make clear enough in my last IDN policy post.
- Turning off IDN is a temporary measure for Firefox 1.0.1, Mozilla 1.7.6 and Mozilla 1.8 beta, all of which are due for release in the next couple of weeks (this week, ideally), to target this and other security issues. I personally am confident that this will not be the long term solution. We hope to engineer the disablement in such a way that we can later return the pref to whatever value the user had it set to before we started.
- I am very keen on the long-term solution being a TLD whitelist or blacklist. Whether this is feasible, and which of the two we have depends on the scope of the homograph problem, which we are still trying to determine – and that’s something we need your help with. This solution would avoid penalising registrars/registries who are doing the right thing, while protecting our users. The main reason this is not being implemented for 1.0.1 is the timescale.
- We have considered a lot of other solutions also – warning bars, icons, tooltips, you name it. Such things have the disadvantage of needing coding and testing (so can’t be quick) but also usually have the disadvantage of discriminating against IDN as a class of domains, which we do not want to do. Please read my thoughts on “Solution Requirements” in my “Phishing – Browser-based Defences” paper for my views on what solutions are and are not acceptable for phishing problems.
- We are not being Anglocentric here – or rather, we are not being more Anglocentric than the DNS system has been for the last 30 years.
- As a general point, we understand that preserving our reputation for security may require inconveniencing users some of the time. While each case is evaluated on its own merits, people should not be surprised if you see other things temporarily disabled in future.
Now, to talk about what other people are saying:
Paul Hoffman may know more about IDN and Unicode than I do, but as someone who has done a lot of thinking about browser UI, I can tell him that an “IDN explanation popup” will not be read. Also, merely indicating whether a domain name is IDN or not is useless unless there’s some inference that a user can draw from that. “It’s suspicious” is presumably not the inference he wants people to draw. And if one IDN domain spoofs another one, the icon will be similarly present on both.
He and others (including some advice issued by the IDN community) have also suggested that you can solve the problem by indicating the class of each character by changing the background colour. Leaving aside the problems this causes for the 5% of the population who are colour blind, this will merely make the location bar ugly. Users will either complain loudly about the ugliness and ask to turn it off or, if reconciled to it, either get used to the dancing array of colours behind the domains they visit (non-English users) or treat any change in colour as suspicious (English users). Both are bad outcomes, and neither improves security.
He can rest assured that we neither want to turn IDN off (permanently), nor do we want to make IDN use obnoxious. We would like IDN domains to work as beautifully and simply as non-IDN domains, and that’s the goal we are shooting for.