
Internationalized domain names in Linux - bogdan_r
http://bogdan.nimblex.net/linux/2018/08/01/IDNs-in-linux.html
======
michaelmrose
Please see
[https://bugzilla.mozilla.org/show_bug.cgi?id=279099](https://bugzilla.mozilla.org/show_bug.cgi?id=279099)
or this site that looks like apple.com

[https://www.xn--80ak6aa92e.com/](https://www.xn--80ak6aa92e.com/)

regarding homographic or look alike character attacks. As an American only
fluent in English I'm enormously more likely to encounter malicious content
than content that is useful to me on internationalized domain names.

To make this less likely you can set

network.IDN_show_punycode true

in about:config for firefox or in your profile directory you can create a
user.js file and add this line.

user_pref("network.IDN_show_punycode", true)

~~~
Sir_Cmpwn
Exactly this. Punycode is poorly supported because no one wants it, it just
opens a huge front for phishing.

~~~
estebank
This is a very anglocentric view of the internet.

Most of the problems with the full unicode set can be sidestepped by a
combination of UAX #31[1], NFKC[2], ignoring ligatures and digraphs[3], and
following UTR #39[4].

Cyrillic apple.com is one of the few cases where it is still problematic and
extra UI feedback would be needed.

[1]: [http://unicode.org/reports/tr31/](http://unicode.org/reports/tr31/)

[2]: [http://unicode.org/reports/tr15/](http://unicode.org/reports/tr15/)

[3]:
[https://www.unicode.org/faq/ligature_digraph.html](https://www.unicode.org/faq/ligature_digraph.html)

[4]:
[http://unicode.org/reports/tr39/tr39-1.html](http://unicode.org/reports/tr39/tr39-1.html)

~~~
eximius
> This is a very anglocentric view of the internet.

Yes, it was. The grandparent is literally saying that, as an American,
punycode is primarily a risk to them, not a feature.

> Most of the problems with the full unicode set can be sidestepped by a
> combination of...

By a combination of 4 different, complicated things that most technical users
know little about and non-technical users know nothing about? And problems
still remain? That doesn't bode well.

~~~
estebank
> Yes, it was. The grandparent is literally saying that, as an American,
> punycode is primarily a risk to them, not a feature.

...arriving to the conclusion that six billion people[1] having a degraded
experience (sometimes severely) is a good trade-off. As somebody else down-
thread mentioned, browsers targeted at anglophones maybe should make Cyrillic
characters always obvious, but that doesn't mean this should be the default
for _everyone_. The part I disagree with the gp with is in that "no one wants
it".

> By a combination of 4 different, complicated things that most technical
> users know little about and non-technical users know nothing about? And
> problems still remain? That doesn't bode well.

I don't see how "most technical users[...] and non-technical users" have any
need to learn about those "4 different, complicated things", only people
directly working on User-Agents and networking have any need to understand
those documents.

[1]: People that speak _some_ level of English total ~1 billion
[https://blog.esl-languages.com/blog/learn-languages/most-
spo...](https://blog.esl-languages.com/blog/learn-languages/most-spoken-
languages-world/)

------
CaliforniaKarl
It seems to me what libidn2 should be used instead. As per
[https://www.gnu.org/software/libidn/…](https://www.gnu.org/software/libidn/…)

> Please be aware that GNU libidn2 is the successor of GNU libidn. It comes
> with IDNA 2008 and TR46 implementation and also provides a compatibility
> layer for GNU libidn.

------
jwilk
The author is confused. glibc does support IDN, but of course it's not enabled
by default. The applications that want IDN have to opt in by specifying an
appropriate flag.

[http://man7.org/linux/man-
pages/man3/getaddrinfo.3.html](http://man7.org/linux/man-
pages/man3/getaddrinfo.3.html) (search for "Internationalized Domain Names")

~~~
CaliforniaKarl
It looks like getaddrinfo does have that ability, but I could not tell if
gethostbyname supports it.

~~~
aaronmdjones
Please stop using gethostbyname(3). Among other things, it doesn't support
IPv6.

