Darin and I have spoken about this in the context of telnet:, but I am also thinking this might be relevant to the new interest that gopher: and finger: have generated. If we are going to support URL's that point to external protocol handlers, it seems that we should provide some facility for masking the URLs, and making things like illegal characters in DNS and control-characters in interactive sessions go away. Darin had a couple examples for telnet, and I think we have good examples in bugzilla for ftp and gopher as well. Finger is a pretty notoriously insecure service already, I think I had seen some really bad hostname parsing in it when I tested it about a year ago as well.
Is finger external?
finger is internal, if enabled - it's an optional extension; but I don't know if it's enabled by default or not.
finger is disabled by default.