Re: [idn] quick & dirty (but not too dirty) homograph defense

[Erik van der Poel <erik@vanderpoel.org>]

These ideas have been considered by Mozilla:

http://weblogs.mozillazine.org/gerv/archives/007556.html

However, Mozilla's IDN market share may not be as big as the others', so 
its decision may not affect IDN deployment much. MSIE doesn't support 
IDN to begin with. There are some plug-ins for MSIE to support IDN, so 
their decision might have more effect than Mozilla's:

http://support.microsoft.com/?kbid=842848

Let me point out that one of those plug-ins is made by VeriSign itself. 
Since VeriSign is such a big company, their IDN plug-in may have the 
largest market share. I haven't seen any numbers.

But what will VeriSign decide to do in their plug-in in response to this 
IDN spoofing issue?

I think I agree with you, however, that the more sophisticated 
heuristics can be developed later.

Erik

Adam M. Costello wrote:
> Here's an idea for a quick-and-dirty enhancement to existing
> applications:  Rather than disable IDNA entirely (which is quick but
> too dirty), or flag all IDNs (almost as quick but still too dirty),
> just flag all IDNs in .com and .net.  This would be significantly less
> damaging to IDN deployment (which could proceed unhindered in the other
> TLDs, particularly the ccTLDs), but is still extremely simple and could
> be rolled out immediately while more sophisticated heuristics are
> developed.