Scripts and Barriers

I’m currently sitting in the ICANN IDN workshop in Vancouver, Canada. It’s past 7pm now, and we’ve been here since half past twelve. It’s been very interesting, if long. The main focus of the session is IDN at the top level – IDN TLDs – but we also had an hour on IDN at the second level, where Michel Suignard of Microsoft and I gave presentations on IDN in IE and Mozilla respectively.

One feature IE’s IDN implementation has which we are not proposing to adopt is that it has a notion of “scripts that you know about”, and if you visit a website using an IDN in a script you don’t know, it displays the IDN as punycode and gives you a yellow security warning bar.

I think this idea is very worrying, because it balkanises the Internet. Instead of a global namespace, you have lots of smaller ones with mutual distrust between them. This seems to me to be counter to the very idea of IDNs – that everyone in the world is placed on the same level, rather than the current situation where Latin-based languages and English are the first-class citizens. It would also have a deterrent effect on IDN uptake. Who is going to use an IDN name if an unknown percentage of web surfers are going to get given a security warning when they visit it? This is particularly bad for users of minority scripts, who almost no-one is going to trust be default.

From an implementation perspective, it also has practical problems. How is an Iranian going to react when he visits an Internet cafe in the US and is told that all his websites are suspicious? What about computers used by multiple people, each of which knows a different set of scripts? (E.g. a house where the father happens to have learnt Chinese at night school, but the rest of the family don’t know it.) It also means that your browser needs additional configuration because of IDN, which I believe should be an active anti-goal of our IDN work.

But I also can’t see the point. What risk does it mitigate? As long as it doesn’t look like the domain name of my bank (and there are other mechanisms for dealing with that), where is the risk for me in visiting a domain whose name happens to be in Russian, or Chinese? I can’t see one.

I hope that Microsoft change their mind and remove this feature.

6 thoughts on “Scripts and Barriers

  1. One thing I noticed about IE6 is that the warning bar appears far too often already. Besides, they now have a traffic-light-coloured address bar gimmick in IE7 which was added for the phishing warning. I think they should use that instead.

  2. Hiya, Gerv. I wanted to provide a bit more insight into our design philosophy for the IDN feature in IE7.

    What you call “Balkanization”, I call “attack surface reduction.” :-)

    We know from previous experience that reducing attack surface is absolutely key to reducing the risk and impact of future vulnerabilities. I’m sure you can appreciate that IE7’s default IDN configuration would have protected the vast majority of the world that was at risk from the Cyrillic attack that the Shmoo Group executed against early-implementer browsers.

    I don’t think our threat mitigations will at all hinder the uptake of IDN. If your site is written in Czech, and your URL is in Czech, presumably, an overwhelming percentage of your users are going to be Czech-speakers, and will have IE configured accordingly. Even if the browser is not configured for Czech, the the user-experience isn’t bad. The user will see the encoded address, an IDN notification icon, and possibly an Information bar. When the user clicks on the IDN notification icon, an explanation of the IDN address is displayed, along with the Unicode and Punycode forms of the hostname.

    IDN URLs will always navigate in IE, even if they display in Punycode. For precision, I’d like to note that IE doesn’t show a “warning bar” when navigating outside your configured languages, it shows the “Information Bar”. The bar informs the user that IE is showing the domain name in its encoded form because IE is not configured to display the characters in question. The user has the option of easily disabling the Information bar; it’s mainly intended as a helper to ensure that the user has their IE Languages configured correctly to represent the languages they regularly interact with. IE7 will not describe cross-language IDN URLs as “suspicious” or any other pejorative term.

    The cross-language protection aspect of the IDN work is only one element of our deep commitment to making sure that the exciting growth of IDN isn’t hindered by security threats. Other functionality in IE7 and its Phishing Filter will also protect the user from IDN-based attacks.

    Our blog at will have a fuller description of the IDN feature in the next few weeks.

    (For complete disclosure: I personally believe that a TLD-allowlist is possibly the correct ~long-term~ architecture for IDN mitigations. Once TLDs such as .com are in a state where they can participate in IDN, and once there’s a high level of confidence that domain registrars are consistently blocking homograph attacks, IE8+’s IDN support should be designed accordingly).

  3. I want to add another wrench into this equation, many people who are not native speakers of english still prefer to use english for their computing needs. So they might be buggered when using this. This and a highly multilingual population will cause ‘information’ bar to be shown many times (kinda like the firefox popup bar and the plugin bar, no experience using IE so cant say), an end user will be bothered by this imho.

  4. I believe it’s Armenian which can be written in Latin, Cyrillic and Arabic scripts.

    I think you want Azeri there, lest you cause an international incident ;)

  5. how can i delete the name which i written on the address bar of internet explorer.
    eg: i written , in address bar can i delete permanently in the address bar folder pls help me ok