[tbb-bugs] #21961 [Applications/Tor Browser]: should torbrowser enable network.IDN_show_punycode by default?

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 19 05:54:28 UTC 2017

#21961: should torbrowser enable network.IDN_show_punycode by default?
 Reporter:  cypherpunks               |          Owner:  tbb-team
     Type:  enhancement               |         Status:  needs_review
 Priority:  Immediate                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by cypherpunks):

 The fact that Chrome/Chromium has this mitigated, while Firefox has
 stubbornly refused to change their behavior, calling it someone else's
 problem, is one of the many reasons that people (rightfully) criticize
 Firefox and its devs for having poor security. Imagine how easy it would
 be for an administrator of a dissident website, or the code repository
 website for a critical or popular program (such as Tor?) to be

 Perhaps only enable the punycode feature when not on the lowest security
 level? The description in the browser security slider could say "Domains
 with unicode may not display properly", with the mouseover text saying
 "Characters that can be used to create a domain that looks identical to an
 existing domain will be displayed differently".

 I'm going to have to require all the important members of a website I own
 to log in exclusively using client certificates, since they will only work
 on the correct domain. I would much rather if I did not have to do
 something which has an impact on my users just because poorly-secured
 browsers insist on this being someone else's problem.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21961#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list