Update to the mitigation tools for IDN security problems

by Michael S. Kaplan, published on 2006/07/16 11:40 -04:00, original URI: http://blogs.msdn.com/b/michkap/archive/2006/07/16/667468.aspx

So it was a little under a year ago that I posted about the Mitigation tools for IDN security problems, and it was about a month ago that I posted an apology about the fact that I had not noticed the lack of 64-bit support, and the lack of a redistributable piece so that developers could get the best use out of the package....

Well, I happy to report that the update is live, and the Microsoft Internationalized Domain Names (IDN) Mitigation APIs 1.1 download is available.

Not only does it have a redist package for developers, but the package comes in three flavors (amd64, ia64, and x86).

I can't claim any off it was specifically due to what I posted (I believe the IE team wanted some changes made to the packages to support their downlevel use of the DLL for IE7), but it is about the solutions, now about how we got there with them.... :-)

As Scott Hanselman noted in his review of IE7 Beta 3, the support in IE that makes use of this package is phenomenal. Which means that any ISV who is using the package has a chance to have a phenomenal implementation, too.

I doubt there is any better advertisment for the requirement here than that!



This post brought to you by "а" (U+0430, a.k.a. CYRILLIC SMALL LETTER A)

Rosyna on 16 Jul 2006 9:47 PM:

I still think IE's handling of IDNs is flawed. For example, there's no way to go to http://sailor月.com/japan/Japan.html without getting some kind of error in IE. Even if Japanese is in the list of languages.

Dean Harding on 17 Jul 2006 2:15 AM:

I don't think it's flawed. Just because you can point out examples of URLs which fail the test, but are still "meaningful" doesn't make it a flawed algorithm. It's just a heuristic after all.

I mean, how do you draw the line between "sailor月.com" and "mybanksitе.com" (where the last "е" is a Cryllic letter), especially if Cryllic is in the list of languages, just like Japanese is in the list of languages for "sailor月.com"?

Rosyna on 17 Jul 2006 4:02 AM:

Quite easily actually. Some web browsers (like Safari) have a list of scripts in which there are not confusingly similar characters. I've heard some lame excuses claiming things like イ and i look alike, yet they look nothing alike. Especailly when windows renders the fonts completely differently (CJK fonts not being antialiased).  Some scripts have no confusingly similar characters such as:


The IE7 method is flawed as it gives an error message with a solution that does not work.

Rosyna on 17 Jul 2006 4:06 AM:

I mean confusingly similar characters at different code points. Notice how Cyrillic is *not* on that list?

Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

referenced by

2006/07/28 The download you requested is unavailable.

go to newer or older post, or back to index or month or day