But that line of reasoning presupposes both that the right name is in ASCII and that the user knows this. As soon as either one of those isn’t true, showing the Punycode no longer is of any help in determining which one is the right one.
For most security - centric websites, the right name is ASCII only.
For any that aren’t, people would have the opportunity to become familiar with the correct fingerprint over time and have a chance to notice a difference.
I’m curious to hear if you think there is a better way. What I’m saying is unlikely to ever be implemented in a browser and I’m not trying to convince you or anything, just say why I personally would appreciate it.
For most security - centric websites, the right name is ASCII only.
Are you perhaps by any chance American?
I’m curious to hear if you think there is a better way.
I think a much better solution would be to shield end users from this problem entirely, by having all registries refuse to register such confusable names, as recommended by Unicode:
Do you all have important URLs with Unicode characters?
Yes.
I wouldn’t expect them to succeed 100%
Me neither, but I find that path to be much more likely to be successful than hoping that “people would have the opportunity to become familiar with the correct fingerprint over time and have a chance to notice a difference” would ever have any meaningful impact.
But that line of reasoning presupposes both that the right name is in ASCII and that the user knows this. As soon as either one of those isn’t true, showing the Punycode no longer is of any help in determining which one is the right one.
For most security - centric websites, the right name is ASCII only.
For any that aren’t, people would have the opportunity to become familiar with the correct fingerprint over time and have a chance to notice a difference.
I’m curious to hear if you think there is a better way. What I’m saying is unlikely to ever be implemented in a browser and I’m not trying to convince you or anything, just say why I personally would appreciate it.
Are you perhaps by any chance American?
I think a much better solution would be to shield end users from this problem entirely, by having all registries refuse to register such confusable names, as recommended by Unicode:
https://www.unicode.org/reports/tr46/tr46-34.html#Registries
Yep. Do you all have important URLs with Unicode characters?
I think it would be great if registries screened registrations for confusable names. Even if they did though, I wouldn’t expect them to succeed 100%
Yes.
Me neither, but I find that path to be much more likely to be successful than hoping that “people would have the opportunity to become familiar with the correct fingerprint over time and have a chance to notice a difference” would ever have any meaningful impact.