Anne van Kesteren


Untill today you might have not known what an IRI is. Even Google does not provide a proper answer. Lets give them a definition:

The Internationalized Resource Identifier (IRI) is a superset of the Uniform Resource Identifier (URI) and makes it possible to include non US-ASCII characters to refer to a resource.

That sounds quite right, doesn’t it? IRIs are defined in RFC 3987. (As always, in plain text.) There is also some information on the W3C Internationalization Activity home page.

This has a relationship to the IDN spoofing everyone is talking about, obviously. Namely that the non-punycoded link is an IRI. It is very unfortunate that Mozilla chooses to disable IDNs completely in at least Firefox 1.0.1 and Mozilla 1.8b. Other (and better, in my opinion) solutions have been proposed and especially the fact that they are disabled for all official localisations makes this a pain. Even weirder is the fact that there already was a pretty solid proposal.


  1. The disabling of IDN in Mozilla is a temporary measure. As IDNs are not in widespread use yet, it shouldn’t affect too many people. People who want to re-enable IDNs will be able to do so through an easy update.

    The thing is, the 1.0.1 release of Firefox is scheduled for this or maybe next week. Developing a solution (the one proposed utilising a whitelist is a good one) will take time for research and development. Mainly research. They do not have that time, hence the temporary solution to turn it off. Doing so will affect few users, a paypal spoof using IDN will affect many.

    Gerv made a good followup post.


    Posted by Laurens Holst at

  2. Yeah, I can see their point now after having it discussed for a bit. I still don’t like it very much though.

    Posted by Anne at

  3. Excuse the nitpick, but perhaps it would be helpful to not say "plain text" when you mean "7-bit ASCII".

    Posted by Isaac at

  4. Well, it is delivered as text/plain. I was talking about that. However, why would it be useful to talk about it as 7-bit ASCII? (The character encoding seems to be ISO-8859-1.)

    Posted by Anne at

  5. A less evil technique will be used: New Short-Term Patch For IDN-based Spoofing.

    Posted by Anne at