Re: [idn] nameprep2 and the slash homograph issue

[Gervase Markham <gerv@mozilla.org>]

Erik van der Poel wrote:
> Here I agree with you. I'm not going to try to come up with the wording 
> for that, but this morning I started to think that the right-to-left DNS 
> and IDN spoofing problems *could* be addressed at the UI level by 
> providing a *tool* that security-conscious users could *choose* to use.

While security-conscious users are always less at risk than ordinary 
users, thinking in terms of a tool is IMO wrong.

> I'm thinking of a tool that might be implemented as an extension for 
> Mozilla, for example. It would offer to display domain names in the safe 
> order, i.e. left-to-right for users whose main language is 
> left-to-right. I have not heard of any UIs that offer top-to-bottom in 
> their menus, dialogs, etc, so I would guess that this would be omitted 
> in the extension too, though right-to-left might be offered for 
> right-to-left users (many of which are in the Middle East -- Hebrew and 
> Arabic).

The problem this is supposed to mitigate is mitigated in Firefox by the 
domain-only indicator in the status bar.

> In addition, such a tool would offer to display domain names in a clear 
> font, unlike the sans-serif that is commonly used today. This would make 
> the distinction between lowercase l and digit 1 clearer. And it would 
> separate the domain name from its context, e.g. using color.

Assuming we could determine such a font, why would we not always use it? 
Why wait for a tool to be deployed?

Gerv