I think people somehow misunderstood my previous entry about disabling IDN support in FireFox. It was written right after Mozilla announced they would disable default support for IDN, and before they changed that to just display IDN domains as punycode.
I have even been contacted by “Security Professionals”, saying my comments are idiotic and dumb. They even told me to delete my entry, I told them to stop visiting my blog, but for some unknown reason, they simply won’t give up — they keep sending me mails, sounding more and more fascistic for each mail.
What they apparently do not understand, or take the time to comprehend, is that I was right. There is nothing more to it. I was 100% correct in saying that disabling IDN support was a mistake, and Mozilla came to the same conclusion and implemented a much better way of handling the spoofing problem (by displaying links as punycode). It doesn’t really matter if the solution is not that pretty, because it solves the problem and leaves IDN support working like it did before. You don’t have to remove features, that people depend on, in order to solve a problem.
So please stop sending me idiotic mails about how wrong you think I was, how I don’t give a damn about security and how I made a bet with the devil for the souls of all mankind.
Personally I like Opera’s way of handling the IDN problem. Cyrillc chars are allowed only in the domains of countries which use Cyrillc. Same for other countries (u” only for de domains a.s.o.). The rest is displayed in punycode. As I’m writing I just figured something like paypal.ru might pose a problem ;)
Sounds like a classic tail and dog problem. The Opera approach seems like a reasonable compromise.