My post on the complications of Internationalized Domain Names (IDNs), which was published at Circle ID, and reported on Brian Turner’s blog and others, received quite a few comments, and some useful corrections. One of the better reasons for posting up my ideas and opinions is to be corrected when I’m wrong.

Spoofing
I should have done a little more research on the new version of Internet Explorer, which has a very good implemention by Microsoft of some anti-spoofing measures to deal with homographs (words that contain characters that look the same, but are from different alphabets).

It’s still pretty easy to display a fake URL with IDNs by changing the display label on a link, for instance to display “http://www.paypal.com” when the link is actually to some fly-by-night IP address, but that’s true whether it’s an IDN or not.

If you mouse over a link on a web page, you should see the “real” link in the information bar at the bottom left of your browser. The new IE7 will show the gibberish-looking punycode version of a foreign-language IDN in the information bar unless you have the matching language set installed.

Have a look. Keep your eye on your information bar as you mouse over these links:

• Документы.com [The Russian word, unlinked]
• Документы.com [the Russian word linked to a non-IDN web site
• Документы.com [the Russian word linked to the IDN URL http://www.Документы.com]
• http://www.PayPal.com [a favorite spoofer URL linked to the IDN URL http://www.Документы.com]

If you’re using IE7 and you don’t have the Russian language pack installed and enabled, the last two examples will show up in the information bar as “http://www.xn--d1coigc6ae0f.com” — the punycode version of the name. That will clue in the knowledgeable user that the link is to an internationalized domain name, and hence may well be a homographic spoof. (Firefox will do this too.)

If you do have the Russian language pack installed and enabled, the last two examples will show up in the information bar as “http://www.Документы.com”.

So the potential for homograph spoofing is really limited to those non-Roman character users who install their native language language packs as well as Roman-character language packs. Potential for mischief, yes, but on a much more limited scale than I had thought.

Searching in IDNs
Paul Hoffman, who is one of the gods of IDN, chided me a bit in one of his comments to my IDN post on CircleID:

While otherwise great, this article has a significant technical error. It says “you can’t at present search for anything except an exact match”. That is plainly incorrect. You cannot search the untranslated zone file for an exact match, but as the article shows in the next paragraph, there is a single unambiguous way to convert every IDN name to its Unicode equivalent. If you want to search for “plurals, misspellings, instances of your mark contained in longer names” and so on, you simply convert all the names in the zone to their Unicode equivalents and search the converted list. People have been doing this since the first day that IDNs were introduced into any of the TLDs.

OK, yes. But I haven’t been able to find any publicly-accessible web interfaces that will give you access to such a list of converted IDNs, and I would hazard that it’s well beyond the technical ken of most trademark lawyers (or indeed, most people of any kind) to perform this sort of mass conversion of IDNs. I doubt that most people could even define “zone”, let alone figure out how to download it. Even if they could, they would have to sign a contract with VeriSign before they could.

So in this case, although I am “plainly incorrect”, searching IDNs is not a trivial matter. I suspect someone will have to develop a commercial application before this kind of searching is available to most of the people who want to do the searching.

But thanks to all who pointed out my mistakes. Mea culpa, but the corrections are useful and I hope this clarification will help others.

Posted by Antony in: Domains