IDN baluba

If you followed browser-related news last week you probably noticed the internationalised domain name issue. Opera was criticised on Slashdot and elsewhere for saying that this security issue actually wasn't our problem, but one the registrars should solve.

The browser can't solve this problem in any meaningful way. The reason is that we have a feature that can be used legitimately and also abused. It can't be disabled (sorry Mozilla guys, turning IDN off was a knee-jerk response that gave you some good PR, not a solution in any way) because of the legitimate uses and because many people already invested money in internationalised domain names.

Mixing scripts in one name also has legitimate uses and is no reliable indication of fraud.

When a feature has both legitimate and dangerous sides, the only real option a browser has is to defer the decision to the user. Sure, lots of posts on Slashdot asked for warning messages or characters written out in different colours – sorry, but you're obviously all so technically skilled that you probably typed paypal.com into the address bar in the first place. Here's my first law of browser security UI design: if you understand a warning you probably know so much about the issues that you didn't need one.

Asking the user to decide or understand if something is safe simply doesn't work for the majority of the users. Look at the mess IE has caused. Speak to your father or friend's grandmother and hear their frustrated complaints about not understanding the warnings and being unsure if they should click yes or no.

If the browser can't do anything but lean on the user we have a security issue that shouldn't be solved by the browser. Perhaps the registrars will get their act together if we push a little harder..

Advertisements

2 thoughts on “IDN baluba

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s