NYCPHP Meetup

NYPHP.org

[nycphp-talk] somewhat OT Re: validating proper name capitalization

Tedd Sperling tedd.sperling at gmail.com
Thu Sep 29 16:44:51 EDT 2011 

On Sep 29, 2011, at 3:44 PM, David Krings wrote:

> On 9/29/2011 2:06 PM, John Campbell wrote:
>> It is designed for people coming from other languages.  Like groupon
>> in china is gaopeng.com, but gaopeng is 高朋 when written as characters.
>>   高朋.com is http://xn--bpvz66i.com/ in puny code.
>> 
>> The problem with puny code is that it is a security nightmare, and no
>> safe browsers are ever going to support it.
>> 
>> Can you find the difference between http://paypal.com/ and
>> http://paypaḷ.com/ ?
>> 
>> Regards,
>> John Campbell

John:

You got the obvious right, but that's the problem.

According to any computer I use, there is a difference between code-points regardless of what they look like. Just because you can find two, or more, code-points that look alike does not mean that computers can be fooled. Code-points are different by definition.

The problem arises when Browsers show code-points but do not also indicate to the user that these code-points are from different language/character sets. This could be easily solved by simply coloring the url. This was suggested/discussed in the IDNS WG back in 2000, but was not considered by Browser makers.

For example, the paypal.com problem you described could be easily solved by simply coloring a mixed char-set URL. Would you give personal information to a URL if the URL was colored red or blinking red? I think not.

On the other hand, keep in mind that only three precent of the world's population has English as their native language. So, the question really becomes, is PUNYCODE the answer for everyone? It was never intended by the IDNS WG for the end-user to ever see it -- this decision was made by the Browser makers, not users.

Consider that when the rest of the world logs on to the Internet and starts demanding that they be able to use their own native language, you will see Browser makers either consider how to fix this problem -- OR -- find themselves in the position that M$ is now in because of their head-fast insistence of ignoring W3C standards and as a result being surpassed by other Browser makers.

As M$ found out, you can't stop progress regardless of what marketshare you have.

This is a problem, but not an unsolvable one. Browsers will support PUNYCODE AND be safe eventually.

Cheers,

tedd

_____________________
tedd at sperling.com
http://sperling.com

More information about the talk mailing list