"Hostname" and "webAddress" printed in punycode instead of unicode (IDN)

[cr-sh]

Hey there,
in order to use this software with intertionalized domain names (IDN) is auspicable to print unicode instead of punycode.

you can see a live example here -> https://краш.мкд

[aspacca]

I initially created a branch for adding what seems to be a missing feature for legit users

anyway looking at the content of your github profile, @cr-sh , made me think that such feature could be a high vehicle of attacks

so I'm quite favourable to keep as it is.

what do you think @stefanbenten ?

[cr-sh]

Ciao Andrea,

you have just redefined the concept of security through obscurity, taking it to the next level: security through obstructionism! LOL 🌚

I'm a legit security researcher stuck in the light side of the force; BTW I well know the bad guys, and I can assure you that, if this were a really useful change for their evil purposes, they would have edited those four lines themself, keeping this change private.

Anyway, probably these days I would have done better to link you to an example domain in Japanese Kanji instead of Macedonian Cyrillic, my fault.

Have a nice day, and thank you for maintaining transfersh, I'm totally in love with this project since the day-zero.

[aspacca]

ciao @cr-sh

there's no security through obscurity neitehr through obstructionism: it's simply a concern similar to the one here golang/go#20210

forcing the punycode will prevent transfer.gοlang.org to look like transfer.golang.go

I explained my doubt because the content of your github profile made me think, I never implied that your usage would be malicious

please, refrain to replay with rudeness that's against the code of conduct of the project

[cr-sh]

Oh, I'm sorry if I looked rude, it was not my intention, at all. As I did say before I have a lot of respect and appreciation for your work on maintaining this code, I can't thank you enough for that. 🙏

Concrete IDN homograph attacks are almost history of the past, since mixing latin with non-latin alphabets is now forbidden at registry-level for the most TLDs, .org was among the first, so you are good to go 😅 with *.golang.org

Anyway, as I had initially thought, instead of a broad “punycode to unicode” migration in the whole project, a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress”. But I'm probably missing something as I'm not very fluent in go, sadly.

Again thank you for your time / precious effort in opensource projects, and forgive my twisted irony.

[aspacca]

a safer approach could be to surgically apply this transformation while printing “Hostname” and “webAddress”

#486