From:  Kyle Hamilton <>
Date:  21 Apr 2017 09:36:22 Hong Kong Time

Re: Unicode domain names issue (Encrypting a "fake" domain name)


Perhaps, only display non-punycode from codepoint sets used in
languages already installed on the computer?

i.e., if the Russian language is installed on the computer, it might
be a strong indicator that Cyrillic codepoints should be shown as
Cyrillic.  Otherwise, it's someone who probably can't even read it,
and so the commitment to displaying non-punycode probably can only be

-Kyle H

On Wed, Apr 19, 2017 at 4:40 AM, Gervase Markham  wrote:
> On 19/04/17 02:13, Kyle Hamilton wrote:
>> How did the algorithm in
>> (which points to
>> ) fail to
>> help in this instance?
> Because it is a known issue that it does not deal with whole-script
> confusables. This was documented at the time we adopted it - see:
>> Are there other instances in which it could be expected to fail?
> No.
>> If there are, the hypothesis set forth in
>> (that the new IDN
>> display algorithm was sufficient enough to prevent IDN weirdnesses
>> that the whitelist could be removed) is shown to be false, and Mozilla
>> either needs to either find a better solution, or go back to the
>> whitelist.
> That was not the hypothesis. As noted above, this edge case was a known
> and accepted part of the solution, because all of the alternatives are
> worse.
> The argument is that the browser only has sufficient knowledge to solve
> a part of this problem; we can't solve the entire thing using an
> algorithm without privileging some scripts over others, which is not an
> appropriate action for an organization which believes in a truly World
> Wide web. Fixing whole-script spoofing is the responsibility of those
> who have databases of all the existing registrations - i.e. registries.
> See for more details.
> Gerv