On Tuesday, April 25, 2017 at 1:49:04 PM UTC+3, Gervase Markham wrote: ... > One guiding principle I have found useful here is "what if the Internet > were invented by the Russians, and Latin was the script late to the > party?". I am trying to avoid doing anything to Cyrillic that I would > think were unfair were it done to Latin if the boot were on the other foot.
If internet was invented in a Cyrillic using country, then the whole domain would have been in Cyrillic, not only the different parts of it. I'm from such a country (Cyrillic alphabet) and I find mixed domains useless. I mean mixed like "www.cyrillic-part.com". Am I expected to switch my keyboard to type the domain name in the URL bar? Do you want, in case DNS was invented by a country with a Cyrillic alphabet, to type parts in Latin and parts in Cyrillic? I don't care that many people bought mixed charset domains. Let them buy non-mixed ones and resolve the issue long-term. I want (as a technical user) to have ability to recognize when domains are using mixed charsets easily. It is strange for me to see many Latin only users blocking any progress of this issue because potentially non-latin users would be alienated. If you are concerned about this, then as your non-latin users what they want. You are just guessing and blocking any sensible decision. There are polls and other strategies that can be used. IMO, at the very least, there should be some highlighting when domain uses mixed charsets, no matter whether in single component of the domain name or not. This is pretty much equal treating IMO and wouldn't kill anybody. Even better if mixed domains show up in punycode by default but have some UI to switch them to Unicode if user decides. But looking at the sentiment here, I don't really hope about this. At least *please* add some highlighting, no matter what it is, pretty please. > The trouble with Cyrillic in particular is that there are quite a few > clashing letters: > https://en.wikipedia.org/wiki/IDN_homograph_attack#Cyrillic > In Russian, you have a, c, e, o, p, x and y. Add in numbers, and you > have 3, 4 and 6. Cyrillic non-Russian languages add i, j and s, and if > you go rare/archaic (which may or may not be supported in the font > and/or noticeably different) you can add d, h, l and v. And that's just > lowercase. In the worst case, that's 14 of Latin's 26 letters, including > 4 of the 5 vowels. It would be a significant crimp on Cyrillic domain > names if all names using only those letters didn't work except in .рф > and the like. > > > (I'm assuming we already require each component to be > > single-script.) > > Yes, we do. That is what solves 99% of the problem. Not really. There are some many high profile sites that can be abused. First things come to my mind ерау.bg and ебау.com Former is impossible to spot. Latter one needs to carefully look at it. For the "b" also "в" and "ь" could be hard to spot. An icon, different colors of the letters, or whatever will be much more useful. For example a warning icon and when you hover, to show explanation with more info about the problem. In fact such a warning icon might be a good idea for many occasions. Firefox could detect different kinds of warnings going forward. An interested user (usually technical) would be able to make an informed decision whether the warning is relevant or not. I'm not suggesting to abandon other long-term solutions that might be better for non-technical users. On the other hand, if Firefox ignores technical users, I doubt it would be good for it. I always preferred Firefox for the ability to make it behave as you want. Presently quantum blocked many useful plugins for apparently no better stability in my personal observations (yes, had issues with replacements that used new APIs only that made my whole browsing experience a mess until I figured out what's going on). Now lets ignore the need for technical people to be sure in what they read in address bar. I really hope Firefox can be good for technical and non-technical people. Otherwise it will not matter anymore which browser am I using. It could be whatever comes pre-installed. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security