Re: [alac] Mozilla to switch off IDNs and IRIs.

To: "Vittorio Bertola" <vb@xxxxxxxxxxxxxx>
Subject: Re: [alac] Mozilla to switch off IDNs and IRIs.
From: Wendy Seltzer <wendy@xxxxxxxxxxx>
Date: Wed, 16 Feb 2005 08:31:16 -0800
Cc: "Thomas Roessler" <roessler@xxxxxxxxxxxxxxxxxx>, alac@xxxxxxxxx
In-reply-to: <32292.62.229.8.249.1108480118.squirrel@xxxxxxxxxxxx>
References: <20050215124457.GH6294@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <20050215112417.GC6294@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <5.1.0.14.2.20050215041520.022877f0@xxxxxxxxxxx> <20050215124457.GH6294@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>

At 04:08 PM 2/15/2005 +0100, Vittorio Bertola wrote:

On Mar, 15 Febbraio 2005 13:44, Thomas Roessler disse:
>> Or to modify the recommendations on how IDNs are displayed, so
>> all applications clearly noted that they were showing an IDN.
>> Then, if you weren't expecting an IDN (e.g., when you thought you
>> were looking at paypal.com and saw [IDN=RU]paypal.com), you'd
>> know something was fishy.
>
> I have some doubts about users actually realizing these things -- if
> you just count the warning messages from a browser, then almost all
> for-pay wireless hotspots out there look fishy.  Still, they make
> money.

In Italy, my local telecom provider has just been acquired by a previously
unknown company, whose only business was selling premium telephone numbers
to be then used by spyware/adware to force your modem to dial them up, and
you to pay hundreds of euros in unwanted telephone bills each month
(because you didn't read the notices that your browser was popping up, did
you?). They were making revenues of many million euros per month.

Bottom line: don't rely purely on user education, it won't work for the
masses, not until many years from now.

Yes, but encouraging use of an interface that makes it easier to educateusers is key.One suggestion, via boingboing<http://www.boingboing.net/2005/02/14/idn_domain_spoofing_.html>, indicatewhen names have multiple scripts, so users can note whether that jibes withtheir expectations. <http://lookit.proper.com/archives/000302.html#000302>

This IDN spoof is just the next iteration of "paypa1.com" and "paypaI.com". We didn't insist that registrars block all registrations with L, 1, andI, but we do punish those who use misleadingly similar domain names tocommit fraud (and law enforcement goes after the places the fraudsters tryto put the money or use the fraudulently obtained credit cards, not theinformation they didn't put into WHOIS).

> Which conference? ;-)

CodeCon

--Wendy

--
Wendy Seltzer -- wendy@xxxxxxxxxxx
Electronic Frontier Foundation
Berkman Center for Internet & Society at Harvard Law School
http://cyber.law.harvard.edu/seltzer.html
Chilling Effects: http://www.chillingeffects.org/

References:
- Re: [alac] Mozilla to switch off IDNs and IRIs.
  - From: Thomas Roessler
- [alac] Mozilla to switch off IDNs and IRIs.
  - From: roessler
- Re: [alac] Mozilla to switch off IDNs and IRIs.
  - From: Wendy Seltzer
- Re: [alac] Mozilla to switch off IDNs and IRIs.
  - From: Vittorio Bertola

Prev by Date: Re: [alac] Strategic plan
Next by Date: [alac] Mar del Plata schedule
Previous by thread: Re: [alac] Mozilla to switch off IDNs and IRIs.
Next by thread: [fwd] [stratplan] Meeting Notes (from: Grant.Forsyth@xxxxxxxxxxxxxxxxxxxxxxx)
Index(es):
- Date
- Thread