The first thing that strikes is that the IDN/Shmoo thing is not a bug but is a feature. It's doing what it was intended to do. Indeed, one of the browser manufacturers said that in the Shmoo advisory (but just saying that is not a sufficient response!).
Actually it just occurred to me, we have started to get everyone checking the lock for SSL, and I've seen on one of the bootable cd distro's based on ubuntu (beatrix) that the domain is shown next to it (although it's showing paypal.com in this case, not the xn--pypal-4ve.com), why not show the damn domain and some other symbol to stand for unicode domain, some sort of weird flag that looks cool maybe? :)
If the domain next to the lock/flag doesn't match up top then something's a miss... Obviously the finer points of implementing this in a sane manner so as not to trip over valid domains is another issue...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
