We've been working for a while now to try to come up with a plan for routing around the IDN security problem created by a failure of some registrars to do the right thing when handing out domains.
Today, it is possible to register a IDN homographs for popular commercial sites which makes it fairly trivial to spoof users into accepting the bogus domain as legitimate.
I'm convinced, as are many others, that this is a failure on the part of the registrars but that being said, our users are put at risk by this failure and we'll be taking some fairly drastic steps (including breaking IDN in Gecko browser) to help defend our users.
If and when the registrars get their acts together, we'll reconsider enabling this support and IDN can start moving forward again.
Gerv's posted the Mozilla strategy over at his weblog.
Posted by asa at February 14, 2005 05:24 PMGiven that homographs in domain names are such a tricky issue, I think that blaming the registrars for the whole problem is not a satisfactory solution.
Further, for a reliable warning system against phishing, I rather trust mozilla/firefox than every single registrar (a single registrar with loose policies is sufficient for an attack). So I would love to see a good solution for Bug "Protect against homograph attacks" 279099 and hope very much that IDNs will survive.
Posted by: Hansres on February 14, 2005 09:22 PMBetter safe then sorry. Mozilla is taking action. I like it.
Posted by: aasgier on February 14, 2005 09:22 PM
I hope the decision is to break it by turning it off by default not by permanently disabling it - here's some very insightful opinion from Paul Hoffman
http://lookit.proper.com/archives/000302.html#000302
and an illuminating comment on BoingBoing that points out why it's not a good idea to think that it would be resolved if the registrars would act differently.
http://www.boingboing.net/2005/02/14/idn_domain_spoofing_.html
i agree with helvick the Paul Hoffman options look good. mostly the idn icon in the toolbar, it could go before the padlock.
don't break idn, i know people who find it really usefull...
http://lookit.proper.com/archives/000302.html
Posted by: matt on February 15, 2005 02:30 AM"Firefox 1.0.1" is mentioned in the link; is there a rough estimate of when that's due out?
Also, as part of a future fix or partial fix (i.e. temporarily work into an extension?), what do you think of the following security scenario:
If Firefox detects that an IDN is about to be accessed, that it checks for homographs for the characters in the URL (there are probably only a finite amount, right?) and if any are present it gives a warning with the option to add to a black list. Maybe also include a list of commonly accessed and thus potentially spoofed sites (paypal, ebay, etc.) that if the IDN homograph matches would be automatically blocked...
Posted by: Limulus on February 15, 2005 02:30 AMSadly, I think disabling is the best option, especially for marketing concerns. Tons of blogs and comments and articles have showed up online stating IE is immune to this security issue because they don't support IDN. So they're treating this as the first case of IE beating Mozilla at security -- which I find ridiculous.
So if we have to cripple our browser to give higher security... so be it. Let's just hope this doesn't become a habit!
Posted by: schmichael on February 15, 2005 07:02 AMOn Bugzilla Bug 22183 I have been arguing for color-coded URLs which I think would help with this problem. The homographs could have a distinctive color or style (or even background color) to indicate that the character isn't (for example) a plain-ol' "a" even though it looks like it.
Plus the color-coding would help with phishing scams. Especially those where the URL includes a username and password.
Posted by: Block Sheep on February 15, 2005 09:43 AM