Update to the mitigation tools for IDN security problems

Sorting it all Out
Michael Kaplan's random stuff of dubious value
Be sure to read the disclaimer here first!

Sorting it all Out

Update to the mitigation tools for IDN security problems

Michael S. Kaplan

16 Jul 2006 11:40 AM

Comments 5

So it was a little under a year ago that I posted about the Mitigation tools for IDN security problems, and it was about a month ago that I posted an apology about the fact that I had not noticed the lack of 64-bit support, and the lack of a redistributable piece so that developers could get the best use out of the package....

Well, I happy to report that the update is live, and the Microsoft Internationalized Domain Names (IDN) Mitigation APIs 1.1 download is available.

Not only does it have a redist package for developers, but the package comes in three flavors (amd64, ia64, and x86).

I can't claim any off it was specifically due to what I posted (I believe the IE team wanted some changes made to the packages to support their downlevel use of the DLL for IE7), but it is about the solutions, now about how we got there with them.... :-)

As Scott Hanselman noted in his review of IE7 Beta 3, the support in IE that makes use of this package is phenomenal. Which means that any ISV who is using the package has a chance to have a phenomenal implementation, too.

I doubt there is any better advertisment for the requirement here than that!

Enjoy!

This post brought to you by "а" (U+0430, a.k.a. CYRILLIC SMALL LETTER A)

Locales/Cultures, Unicode/standards, Int'l Programming

Comment on the blather

Leave a Comment

Name
Comment
Please add 2 and 2 and type the answer here:
Post

Blog - Comment List

Comments

Rosyna

16 Jul 2006 9:47 PM

I still think IE's handling of IDNs is flawed. For example, there's no way to go to http://sailor月.com/japan/Japan.html without getting some kind of error in IE. Even if Japanese is in the list of languages.
Dean Harding

17 Jul 2006 2:15 AM

I don't think it's flawed. Just because you can point out examples of URLs which fail the test, but are still "meaningful" doesn't make it a flawed algorithm. It's just a heuristic after all.

I mean, how do you draw the line between "sailor月.com" and "mybanksitе.com" (where the last "е" is a Cryllic letter), especially if Cryllic is in the list of languages, just like Japanese is in the list of languages for "sailor月.com"?
Rosyna

17 Jul 2006 4:02 AM

Quite easily actually. Some web browsers (like Safari) have a list of scripts in which there are not confusingly similar characters. I've heard some lame excuses claiming things like イ and i look alike, yet they look nothing alike. Especailly when windows renders the fonts completely differently (CJK fonts not being antialiased). Some scripts have no confusingly similar characters such as:

Arabic
Armenian
Bopomofo
Canadian_Aboriginal
Devanagari
Deseret
Gujarati
Gurmukhi
Hangul
Han
Hebrew
Hiragana
Katakana_Or_Hiragana
Katakana
Latin
Tamil
Thai
Yi

The IE7 method is flawed as it gives an error message with a solution that does not work.
Rosyna

17 Jul 2006 4:06 AM

I mean confusingly similar characters at different code points. Notice how Cyrillic is *not* on that list?
Sorting It All Out

28 Jul 2006 7:23 AM

Remember earlier this month when I was talking about the Update to the mitigation tools for IDN security...