daniel:// stenberg://May 12

We have a CI job to spot unwanted utf8 letters in #curl PRs as we have noticed that GitHub will gladly show the for example (identical) Cyrillic version of a letter next to the Latin version in a diff and it is yes, entirely impossible for a human to spot the diff. I mean the diff is shown, but the significance of it is not.

Changing just a single letter like that in a URL hostname opens up for a world of grief.

Show threaddusoftMay 12
@bagder They could still make it better - showing non-ASCII (UTF8) characters in URLs with different background for easy identification.
Show threadharmoneMay 12

@dusoft @bagder Also remember to make it possible for color blind people to also easily and quickly detect that a malicious character is being used.

Non-ASCII chars should be disallowed in all web browsers by default and then users who are willing to accept the risk can enable one or more character-sets in their settings. That should be the case for all software not just web browsers so that copy and pasting text in eg. a text editor can stop this kind of attack and clearly show the attempt.

Show threadslotosMay 12

@harmone And what about the vast majority of people that don’t write in a Latin script?

General solutions to specific problems tend to have side-effects, to put it mildly.

Show threadharmone
@slotos They would benefit too because they too would have a lot less risk to get tricked in visiting malicious links etc. A little convenience is worth sacrificing, like this, for a lot of security IMHO. I too would lack some characters in my local language but would gladly have to enable them explicitly before being able to accept the risk of using them.
May 12 at 2:29pmWeb