User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: Mozilla/5.0 (Windows NT 6.1; rv:2.0) Gecko/20100101 Firefox/4.0 According to http://www.icann.org/en/topics/idn/fast-track/idna-protocol-2008.txt the characters such as "ß" should be allowed in domain names, but it's resolved as "ss" is such occurrences. Further Reading : http://www.icann.org/en/topics/idn/fast-track/idna-protocol-en.htm Reproducible: Always Steps to Reproduce: Try to go to www.meßdienst.de Actual Results: Firefox goes to www.messdienst.de (which in turn redirects else where) Expected Results: Firefox should load www.meßdienst.de (& not www.messdienst.de) Checking as a security issue, cause this can be used to hijack users of a specific site to a similarly named (ss instead of ß), as a automatic redirect.

This doesn't need to remain s-s. We have a whitelist of TLDs for which we enable IDN, and particular characters that we block due to spoofing concerns, IIRC, but gerv knows the details.

This problem is most immediately the fault of the .de registry, who have decided it's a smart idea to allow these two domain names to be registered to two different entities. IDNA2008 (which we do not yet implement) treats them as the same, but IDNA2003, which still has a large installed base, does not. Allowing this type of registration is bound to cause problems, and I think it was highly unwise of them. We hope to implement IDNA2008 soon, but it won't make this move any less unwise on their part. Gerv

... and partly the fault of the IDNA working group who decided it was perfectly fine to publish an incompatible update to their standard.

Well, the Germans did request the incompatibility. And it could have been managed fine with bundling or blocking. This is very much a hole they've dug for themselves; if anyone gets phished this way, it'll be pretty obvious whose fault it was. Gerv

>Well, the Germans did request the incompatibility. I didn't request that but I don't care about it :-) denic.de (the .de registry) warns about compatibility issues and domain owners with an "ß" in their domain should send their complains to denic and not to "us" who have to fight with the mess that they created.