Support Internationalized Domain Names (IDNs)

jei4

Currently Orion seems to be the only browser that defaults to not rendering IDNs (internationalized domain names), instead showing the punycode-string when browsing. This might have a slight security benefit for users that are exclusively using websites that don't make use of IDNs, which I reckon is the reasoning behind this behavior. It also doesn't seem possible to visit webpages directly by typing in their domain name if you're not using the punycode version.

I would like you to consider adding additional settings for how IDNs are handled. I will not argue about what is the best default setting, but here are some reasons for why a certain subset of users might benefit from having IDNs handled more like in other browsers:

If I want to visit a webpage that has an IDN, currently I either need to use a punycode converter or search for it and click on a link. Not everyone is aware of how conversion can be done and not every website is easily found through a search engine.
Because only the punycode version is shown in the address bar, it might be harder to check if you're really on the page you intended to go to. This is also a common argument against rendering IDNs, but only helpful if we assume that legit webpages never use IDNs themselves. This might be the case for businesses from the English-speaking world, but is not accurate globally. Consider an attack where the legit page is "xn--ksefabrik-v2a.de" but someone uses "xn--ksefabrik-07a.de" for a phishing attempt. The unicode versions would be easier to tell apart (for German speakers) than the punycode versions.
Last but not least, it's just not visually nice to show domains like this. You might disagree here, but IDNs aren't second-class citizens of the internet in my opinion.

Edit: Seems like Orion just has no IDN support at the moment. Therefore, if that's ok this issue should be about adding support in general. After the support has landed, I guess we can discuss more in detail about any display settings and the like.

Vlad

jei4

which I reckon is the reasoning behind this behavior.

Nope, we simply haven't implemented it. Orion is written from scratch and so this needs to be implemented separately.

jei4

Nice to hear. I have looked a bit more into how Punycode works now (got curious!) and I can totally see why you haven't had the time yet. Having two standards (IDNA2003 and IDNA2008) which aren't completely compatible with each other that are complex enough on their own, plus another complex transitional compatibility processing sure doesn't make things easy to get right. Take your time 🙂

Magebarf

I was looking for a item related to IDN/punycode in general and this is the only one I found...

Would it make sense to generalize this, to cover adding IDN support in general to Orion, or is it prefered I create a separate one?

My "pet peeve" for now being the two step landing, first to search engine and then click to go to webpage, when I'm typing out (or pasting) any domain containing international characters.

Edit: Just saw the time line and that it's not even 24h old.
Interesting that everyone runs into this today. 😃

jei4

Magebarf I don't think I can change the thread title by itself but yes, let's make this a general IDN support thread then. That makes much more sense.

Magebarf

jei4
I believe Vlad (on purpose not doing a @ mention, to stay easy on his inbox and notifications) has the ability to do so.

eirk

BTW, homograph attacks exist. https://en.wikipedia.org/wiki/IDN_homograph_attack

eirk

and this is why i believe chrome and firefox ~~dont~~ show punycode by default

jei4

eirk You mean that they do show the punycode by default instead of rendering the IDN? Well it seems like they sometimes show punycode instead of rendering it depending on your locale settings and what kind of characters are inside the domain name.

Because for me, all websites with IDNs I use are rendering the domain name in both Firefox and Chrome without me having changed any settings. That‘s also what is explained on the Wiki page you linked above. For example it says on Firefox:
„ Mozilla Firefox versions 22 and later display IDNs if either the TLD prevents homograph attacks by restricting which characters can be used in domain names or labels do not mix scripts for different languages. Otherwise IDNs are displayed in Punycode“
https://wiki.mozilla.org/IDN_Display_Algorithm

And don‘t forget about the attacks possible by always only showing the punycode version. I don‘t think that either „always render every domain“ and „always show punycode“ are best for security. Yes, we rather don’t want „adoḅe.com“ to be rendered as such, but if we always show only punycode, that makes „düsseldorf.de“ and „dässeldorf.de“ only distinguishable by looking at the weird numbers at the end, even though normally they‘re quite visually distinct.
https://gerv.net/hacking/idn/faq.html

Implementing support for one or multiple of the restriction levels from TR39 might be a good idea: http://www.unicode.org/reports/tr39/#Restriction_Level_Detection

As for libraries, the GNU project has one licensed as LGPL with TR46 support: http://www.gnu.org/software/libidn/#libidn2
„Libidn2 is believed to be a complete IDNA2008 / TR46 implementation“
It is used by wget and curl but I haven‘t personally tested it myself.

Vlad

Not sure what is the current ask here and what API's/librarires can we use to do this quickly?

noquierouser

I found the issue through a title search. To prevent IDN homograph attacks, I suggest displaying the internationalized domain with an IDN flag in the address bar. Pressing the flag toggles between the IDN or punycode domain. There could be a warning for malicious domains, but I'm not sure if there's a list of authentic homograph domains.

eirk

could also implement chrome's algorithm https://chromium.googlesource.com/chromium/src/+/main/docs/idn.md

salix

eirk I would be in favor of implementing this (or some kind of equally sophisticated) algorithm for starters. Having a toggle in the settings is not good UX for anybody.

However, I disagree with how Firefox/Chrome handle this: they both have some kind of decision tree where ultimately you end up with "show the actual characters" or "show punycode version". I'd argue the latter should never be a choice. A punycode version is non-sense to the average user and can only cause confusion.

Punycode after all is just some internal technical representation of characters. Yes it happens to be quite printable, but to a human "xn--9ckk2d5c" is equally meaningless as if I would just list codepoints "U+30C3U+30C8U+30DCU+30ED" or any other kind of gibberish.

So why show anything in the first place? Chrome/Firefox go through an algorithm to kinda figure out "is this a proper domain name or just someone trying to abuse the abundance of characters in Unicode?", but if that algorithm ascertains that it is actually probably abuse they still just load the website right up. Just, don't do that and be done. And for all the other IDN domains that pass all the safety checks, treat them right and show their proper name in the URL bar.

But: never show punycode to the user (except maybe inside some developer debug tool).

twingeofregret

I tried to go to an emoji domain https://♥️.ws and it went to search instead of resolving.

What should happen is the domain name is resolved and the browser loads the resulting page. Optimally, the address bar still shows the emoji and not the punycode (which is what Chrome does).

e.g.

The address bar should show
https://♥️.ws

and not this:
Https://xn--g6h.ws

0.99.133.2.1-rc and 1.3.33

Sequoia (15)

laiz

I can confirm typing i❤️.ws in the url bar results in a search instead of going to that URL.

Regarding address bar showing the emoji, this can be configured in the Browsing section of the current Testflight and RC builds (proper release coming soon)