From:  Kyle Hamilton <kyanha@kyanha.net>
Date:  21 Apr 2017 09:36:22 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.security
Subject:  

Re: Unicode domain names issue (Encrypting a "fake" domain name)

NNTP-Posting-Host:  63.245.214.181

Perhaps, only display non-punycode from codepoint sets used in
languages already installed on the computer?

i.e., if the Russian language is installed on the computer, it might
be a strong indicator that Cyrillic codepoints should be shown as
Cyrillic.  Otherwise, it's someone who probably can't even read it,
and so the commitment to displaying non-punycode probably can only be
damaging.

-Kyle H

On Wed, Apr 19, 2017 at 4:40 AM, Gervase Markham  wrote:
> On 19/04/17 02:13, Kyle Hamilton wrote:
>> How did the algorithm in
>> https://bugzilla.mozilla.org/show_bug.cgi?id=722299 (which points to
>> https://wiki.mozilla.org/IDN_Display_Algorithm#Algorithm ) fail to
>> help in this instance?
>
> Because it is a known issue that it does not deal with whole-script
> confusables. This was documented at the time we adopted it - see:
> https://wiki.mozilla.org/IDN_Display_Algorithm#Downsides
>
>> Are there other instances in which it could be expected to fail?
>
> No.
>
>> If there are, the hypothesis set forth in
>> https://bugzilla.mozilla.org/show_bug.cgi?id=843689 (that the new IDN
>> display algorithm was sufficient enough to prevent IDN weirdnesses
>> that the whitelist could be removed) is shown to be false, and Mozilla
>> either needs to either find a better solution, or go back to the
>> whitelist.
>
> That was not the hypothesis. As noted above, this edge case was a known
> and accepted part of the solution, because all of the alternatives are
> worse.
>
> The argument is that the browser only has sufficient knowledge to solve
> a part of this problem; we can't solve the entire thing using an
> algorithm without privileging some scripts over others, which is not an
> appropriate action for an organization which believes in a truly World
> Wide web. Fixing whole-script spoofing is the responsibility of those
> who have databases of all the existing registrations - i.e. registries.
>
> See https://wiki.mozilla.org/IDN_Display_Algorithm_FAQ for more details.
>
> Gerv