On Tue, Feb 20, 2018 at 10:40:31AM +0100, Chaals McCathie Nevile wrote:
People who more naturally read a non-latin script - the primary market for non-latin script - are generally more able to read that accurately and less able to spot oddities in latin script or another script they don't read.
This is only partly relevant, because even an ASCII label can cause trouble. If you doubt this, and you use an Apple product, I suggest that you try to transcribe a string in the default font in either iOS or OSX (Keychain Access) where the string contains exactly one of capital I, lower-case L, capital O, or the digit zero. There are certainly similar cases with composed Latin characters, and there are several well-worked-over examples in Arabic script -- the latter where characters that are all but guaranteed to use the same glyph are nevertheless different characters.
It is about ensuring that people can effectively notice whether something is a meaningful URL they were looking for, or a corrupted version. It is easier for most people in their own script than noticing a corrupted version of a punycode string.
The basic problem here is that domain names were a _lousy_ basis on which to build security policies, but we did it. (That sort of thing happens all the time. The automobile was a lousy basis around which to do social planning, but every North American city of any size shows that we did that, too. We shape our tools and thereafter they shape us.) Best regards, A -- Andrew Sullivan ajs@anvilwalrusden.com