8

Currently Orion seems to be the only browser that defaults to not rendering IDNs (internationalized domain names), instead showing the punycode-string when browsing. This might have a slight security benefit for users that are exclusively using websites that don't make use of IDNs, which I reckon is the reasoning behind this behavior. It also doesn't seem possible to visit webpages directly by typing in their domain name if you're not using the punycode version.

I would like you to consider adding additional settings for how IDNs are handled. I will not argue about what is the best default setting, but here are some reasons for why a certain subset of users might benefit from having IDNs handled more like in other browsers:

  • If I want to visit a webpage that has an IDN, currently I either need to use a punycode converter or search for it and click on a link. Not everyone is aware of how conversion can be done and not every website is easily found through a search engine.
  • Because only the punycode version is shown in the address bar, it might be harder to check if you're really on the page you intended to go to. This is also a common argument against rendering IDNs, but only helpful if we assume that legit webpages never use IDNs themselves. This might be the case for businesses from the English-speaking world, but is not accurate globally. Consider an attack where the legit page is "xn--ksefabrik-v2a.de" but someone uses "xn--ksefabrik-07a.de" for a phishing attempt. The unicode versions would be easier to tell apart (for German speakers) than the punycode versions.
  • Last but not least, it's just not visually nice to show domains like this. You might disagree here, but IDNs aren't second-class citizens of the internet in my opinion.

Edit: Seems like Orion just has no IDN support at the moment. Therefore, if that's ok this issue should be about adding support in general. After the support has landed, I guess we can discuss more in detail about any display settings and the like.

  • Vlad replied to this.

    jei4

    which I reckon is the reasoning behind this behavior.

    Nope, we simply haven't implemented it. Orion is written from scratch and so this needs to be implemented separately.

      Nice to hear. I have looked a bit more into how Punycode works now (got curious!) and I can totally see why you haven't had the time yet. Having two standards (IDNA2003 and IDNA2008) which aren't completely compatible with each other that are complex enough on their own, plus another complex transitional compatibility processing sure doesn't make things easy to get right. Take your time 🙂

        I was looking for a item related to IDN/punycode in general and this is the only one I found...

        Would it make sense to generalize this, to cover adding IDN support in general to Orion, or is it prefered I create a separate one?

        My "pet peeve" for now being the two step landing, first to search engine and then click to go to webpage, when I'm typing out (or pasting) any domain containing international characters.

        Edit: Just saw the time line and that it's not even 24h old.
        Interesting that everyone runs into this today. 😃

        • jei4 replied to this.

          Magebarf I don't think I can change the thread title by itself but yes, let's make this a general IDN support thread then. That makes much more sense.

              jei4
              I believe Vlad (on purpose not doing a @ mention, to stay easy on his inbox and notifications) has the ability to do so.

                  eirk changed the title to Support Internationalized Domain Names (IDNs) .

                    and this is why i believe chrome and firefox dont show punycode by default

                    • jei4 replied to this.

                      Not sure what is the current ask here and what API's/librarires can we use to do this quickly?

                        eirk You mean that they do show the punycode by default instead of rendering the IDN? Well it seems like they sometimes show punycode instead of rendering it depending on your locale settings and what kind of characters are inside the domain name.

                        Because for me, all websites with IDNs I use are rendering the domain name in both Firefox and Chrome without me having changed any settings. That‘s also what is explained on the Wiki page you linked above. For example it says on Firefox:
                        „ Mozilla Firefox versions 22 and later display IDNs if either the TLD prevents homograph attacks by restricting which characters can be used in domain names or labels do not mix scripts for different languages. Otherwise IDNs are displayed in Punycode“
                        https://wiki.mozilla.org/IDN_Display_Algorithm

                        And don‘t forget about the attacks possible by always only showing the punycode version. I don‘t think that either „always render every domain“ and „always show punycode“ are best for security. Yes, we rather don’t want „adoḅe.com“ to be rendered as such, but if we always show only punycode, that makes „düsseldorf.de“ and „dässeldorf.de“ only distinguishable by looking at the weird numbers at the end, even though normally they‘re quite visually distinct.
                        https://gerv.net/hacking/idn/faq.html

                        Implementing support for one or multiple of the restriction levels from TR39 might be a good idea: http://www.unicode.org/reports/tr39/#Restriction_Level_Detection

                        As for libraries, the GNU project has one licensed as LGPL with TR46 support: http://www.gnu.org/software/libidn/#libidn2
                        „Libidn2 is believed to be a complete IDNA2008 / TR46 implementation“
                        It is used by wget and curl but I haven‘t personally tested it myself.

                          9 months later

                          I found the issue through a title search. To prevent IDN homograph attacks, I suggest displaying the internationalized domain with an IDN flag in the address bar. Pressing the flag toggles between the IDN or punycode domain. There could be a warning for malicious domains, but I'm not sure if there's a list of authentic homograph domains.

                            No one is typing