here's a new response from the original thread: That's old news, and was essentially fixed over 4 years ago in a similar
variant. The issue a few years back, was that a browser URL bar would display a unicode encoded paypal.com , but direct a browser to something like "xn--pypal-4ve.com" -- which is the ASCII encoding of the the character set.
In any event, that issue -- and this one -- is not an issue with ICANN, but with the browsers and OS.
Bruce Schneier discussing it in 2005
http://www.schneier.com/blog/archives/2005/02/unicode_url_hac_1.html
Also some stuff from Shmoo ( security think tank featuring directors of Apache, PGP, etc ) - which first published the paypal example. http://www.shmoo.com/idn/
The shmoo page contans the IDN (interrnational domain name) advisory papers. The issue dates back to 2001 when "Homograph Attacks" were first identified.
The underlying issue, is that homographs look the same, but are not the same. ie: a cyrillc c vs an ascii c.
There have been a number of proposed fixes, which haven't been adopted by browsers and os, particulary that Browsers / OS should be saying when there is mixed-code characters, or when a character is in a non-native character set. this was actually part of IETF rfc 3490, which is the base IDN standards rfc ie: given A = ascii , C= Cyrillic warn if CCCCCCC on ascii browser warn if AAAAAAAA on cyrillc browser warn if AAAACCCC on any browser
the one thing that ICANN did drop the ball on -- and its kind of unfair saying that, as it would have been very hard to implement equitably -- is that they didn't enforce one of the smarter DNS level security concepts -- that possible characters for IDN domain names be locked down by TLD.
in any event, the issue is much less at the fault of ICANN than it is with the browsers and operating systems.
// Jonathan Vanasco
e. jonathan@2xlp.com w. http://findmeon.com/user/jvanasco blog. http://destructuring.net
-- --------------------------------------------------------------- Joly MacFie 917 442 8665 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com ---------------------------------------------------------------