1444661 - IDN mixed charset domain names - feedback collection

Status: VERIFIED DUPLICATE of bug 1332714

(Firefox :: Address Bar, defect, P3)

Description

[Alexander]

+++ This bug was initially created as a clone of Bug #1444551 +++

Cloning this bug for the last time but I feel highly disturbing that questions have been raised to me, then my ability to reply was removed. It's fine to restrict comments here too, if you decide as I'll tell what I have to tell now and move ahead.

And there are a number of things in reply to Gijs from Bug #1444551. 

* if you remove ability for community to provide feedback on something, you're essentially making it very difficult to make a good decision for that community; also new ideas would not be possible to be submitted
* thus some form of poll or whatever for feedback needs to be made available if Mozilla wants to serve their community
* the feedback I provided is that as a Cyrillic user I find it an anti-pattern to use a mixed charset domain regardless of TLD (i.e. the "Single Script" level from your doc as far as I understand it regardless of .bg .ru .com .whatever); in original Bug #1332714 I've seen mostly Latin only users concerned that Cyrillic users would be alienated; but I don't think this would be the case (a good approach would be to create a poll about this)
* The arguments against the best solutions I see as a Cyrillic user sound like "it will not help 100% so solution is useless". I think that a solution to solve 99% or 95% of the cases is actually quiet an improvement and will make any abuse of the Unicode domains loopholes not worth the effort. Presently certain domains can be happily abused. (about specific way to highlight the mixed charsets there could also be a poll, there are a great deal of possibilities and what I wrote in Bug #1444551 is just for illustration purposes)

At the end I've always believed Mozilla is focused on serving community. If this is the case, then it is counter-productive to remove ability of community to give feedback and state its preference to the kind of solutions to be provided.

Things are non-trivial and a constructive discussion is the way to reach a satisfying outcomes. It is rather hard to drive a large-scale constructive discussion, but I expect Mozilla to be a leader in this area.

Gijs, I appreciate your answer though. Wish you and everybody else all the best.

-- https://www.ерау.bg https://www.ебау.com just two options off the top of my head

Comment 1

[:Gijs (he/him)]

(In reply to Alexander from comment #0)
> +++ This bug was initially created as a clone of Bug #1444551 +++
> 
> Cloning this bug for the last time but I feel highly disturbing that

For goodness' sake, at least clean the CC list when doing this. 

> questions have been raised to me, then my ability to reply was removed. It's
> fine to restrict comments here too, if you decide as I'll tell what I have
> to tell now and move ahead.
> 
> And there are a number of things in reply to Gijs from Bug #1444551. 
> 
> * if you remove ability for community to provide feedback on something,
> you're essentially making it very difficult to make a good decision for that
> community; also new ideas would not be possible to be submitted

I should have made this clear in my comment, my apologies for not doing so. However, we're not removing people's ability to provide feedback, just removing it ***in the bugtracker***, where its ability to function as the technical solutions-oriented space to review patches etc. was impaired by an overload of comments that contained very little productive information, lots of misunderstandings, and made it impossible to have a meaningful discussion. You are basically doing exactly that by continuing to clone the bug which continues to send email to everyone CC'd on the original bug.

******

The appropriate venue for new ideas is a relevant newsgroup, like https://groups.google.com/forum/?fromgroups=&hl=en#!forum/firefox-dev or https://groups.google.com/forum/#!forum/mozilla.dev.security . There is a thread in the latter that you probably want to read before posting there. ( https://groups.google.com/d/msg/mozilla.dev.security/4cG5Dmi-lH0/v5kKIC8tAwAJ )

******

> * thus some form of poll or whatever for feedback needs to be made available
> if Mozilla wants to serve their community

A poll is not a good way of making technical decisions for too many reasons to talk about in this bugzilla comment, the most important ones being that there's no weighing of pros and cons, reasoning for a decision, sample bias (poll-takers vs. Firefox users), and lack of understanding of the actual issue by people taking the poll meaning the result would likely not be objectively 'best' anyway.

> * the feedback I provided is that as a Cyrillic user I find it an
> anti-pattern to use a mixed charset domain regardless of TLD (i.e. the
> "Single Script" level from your doc as far as I understand it regardless of
> .bg .ru .com .whatever);

The `ca.com` spoof is single-script (only contains Cyrillic) besides the TLD, as were the apple.com and epic.com spoofs before it, so this doesn't help unless we're ready to block (almost; the definition of 'single script' is still confusing) all non-latin  addresses on latin TLDs (making those domains essentially worthless to people who paid to register those domains), which we're obviously hesitant to do (and is also not something any other browser has done).

We already block mixed-script domains, that's why the original bug is specifically called 'whole-script confusables'.

> Things are non-trivial and a constructive discussion is the way to reach a
> satisfying outcomes. It is rather hard to drive a large-scale constructive
> discussion, but I expect Mozilla to be a leader in this area.

Discussion tends to happens in newsgroups / mailing lists (they're mostly mirrored) and IRC, not on bugreports, which are normally focused on details of patches rather than extensive wide-participation blue-sky-solution-brainstorming for underspecified problems (which is what the IDN whole-script confusable thing is, really).

If you have further concerns and for whatever reason don't want to use the mailing lists / newsgroups, feel free to email me privately but please stop abusing bugzilla.

Comment 2

[Al Billings [:abillings - ex-MoCo]]

Someone should add: Original opener of this bug, if you continue to do this, we will turn off your bugzilla account at some point. Please don't spam people with bugs when they are already restricted for a reason.