Well, it looks like the blame game has started for the well-known vulnerability for Internationalize Domain Names (IDN), the standard that allows domain names -- hence, web URIs -- to contain Unicode characters.
The story is covered at news.com. See also IDN and Homographs Spoofing.
Who is to blame? There's a lot of blame to go around.
Start with IDN itself, which solves a problem that should have been solved through a different means. Web users around the world want easy to remember names for web sites. But instead of adding a layer above DNS, like Real Names, the IETF and ICANN gave in to the pressure to allow DNS to become overly complex and vulernable.
Then there are the registries, who, if you believe what some critics say, should never allow a domain name to be registered if it uses characters from more than one script. Is there any part of Unicode that specifies what script each character belongs to? Not that I know of. Maybe the Unicode Consortium is to blame.
And then there is blame for the Mozilla and Firefox teams, who should never have implemented IDN without first solving the security problem. One thing is certain: Microsoft did the right thing by not implementing IDN. It's only the fact that Firefox users tend to be a small and web-knowledgeable group that keeps this security flaw from being major headline news. If it were Microsoft, instead of the Mozilla/Firefox team, it's quite possible that some individuals would have had their bank acounts wiped out by now.
The IDN vulnerability is very serious. Any solution must take into consideration that most users cannot be expected to learn what to look for.
Update: Paul Hoffman defends IDN on CircleID. Read what Paul says, and keep in mind that part of his "solution" -- which he doesn't mention, but which I believe is so -- is to have all web users take an evening class so that they know how to browse the web safely.
Posted by Doug Sauder at February 8, 2005 06:05 AM