#21961: should torbrowser enable network.IDN_show_punycode by default? --------------------------------------+------------------------------ Reporter: cypherpunks | Owner: tbb-team Type: enhancement | Status: needs_review Priority: Immediate | Milestone: Component: Applications/Tor Browser | Version: Severity: Normal | Resolution: Keywords: | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------------------+------------------------------
Comment (by cypherpunks): The fact that Chrome/Chromium has this mitigated, while Firefox has stubbornly refused to change their behavior, calling it someone else's problem, is one of the many reasons that people (rightfully) criticize Firefox and its devs for having poor security. Imagine how easy it would be for an administrator of a dissident website, or the code repository website for a critical or popular program (such as Tor?) to be compromised. Perhaps only enable the punycode feature when not on the lowest security level? The description in the browser security slider could say "Domains with unicode may not display properly", with the mouseover text saying "Characters that can be used to create a domain that looks identical to an existing domain will be displayed differently". I'm going to have to require all the important members of a website I own to log in exclusively using client certificates, since they will only work on the correct domain. I would much rather if I did not have to do something which has an impact on my users just because poorly-secured browsers insist on this being someone else's problem. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21961#comment:11> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs