February 17, 2005

New Short-Term Patch For IDN-based Spoofing

Darin Fisher, network supremo, has pulled it out of the bag and come up with a less drastic short-term solution to the IDN problem. It has just been checked in for all three upcoming releases. Read about it over in bug 282270, but basically IDN will still work, but all occurrences of IDN domains in the browser UI (URL bar, security info etc.) will be the punycode form. There is a pref to re-enable full IDN - set "network.IDN_show_punycode" to false. As with the previous plan, this preference will be set to true in all official builds.

As I've said in previous blogposts, turning off IDN entirely was always an suboptimal solution, and I'm very pleased we've managed to find a third way. The search goes on for something better long-term - I'm sure you'll all agree that, while showing the punycode domain all the time solves the immediate spoofing problem, the fewer browsers out there that do it, the better.

Could I please add a plea that before anyone posts comments on bugs or blogposts suggesting their incredibly simple idea for solving the issue completely, could they please read at least some of the previous posts, bugs, discussions and papers written about the subject? Thanks :-)

Posted by gerv at February 17, 2005 10:37 PM
Comments

Gerv, why are all your posts made so late at night? I have two possible scenarios, no doubt there are more:

A) You are incredibly committed to the Mozilla cause, committing a really commendable effort to it

B) You are a serial insomniac.

In either case, please remember to go to sleep occasionally!

Posted by: ching at February 18, 2005 12:43 AM

It's because Mozilla is not my day job, and trying to stay on top of this IDN business is taking up ridiculous quantities of my time! :-|

Posted by: Gerv at February 18, 2005 08:35 AM

Excellent. I think this is a much better solution than totally disabling IDN support.

Posted by: Christian at February 18, 2005 08:51 AM

Yup, as long as I can *type* IDN domains I'm a happy camper..

Posted by: tr at February 19, 2005 12:09 AM

[Sorry for the shameless double posting, since I've posted this in your previous IDN spoofing thread before noticing this new update, and then I thought its place was here and not there :) ]

Why not have, by default, different fonts for different types of characters?

I'm using Bitstream Vera Sans for my UI, and when I tried that paypal site I noticed the first a was different, not sure if it is because the font itself doesn't have that character or because it has different a's. But I had a visual warning.

Anyway, with the current setup FireFox uses the font set in the OS for the adress bar. If, instead, it would use the fonts in the fonts settings for Firefox, and by default 'Western' and 'Unicode' were set to be visually different fonts, and finnaly when the user tried to set up the same font for both 'Western' and 'Unicode' a warning would pop up about the danger.

Then we would have some visual warning equivalent to payppal.com passing has paypal.com. Which means, it's not perfect, sometimes people would miss them, but it would be has easy to spot as payppal.

Posted by: Specimen at February 19, 2005 04:38 PM
Why not have, by default, different fonts for different types of characters?

Because, off the top of my head:

  • the variety fonts available on different systems is very large
  • the browser cannot tell programatically how different a given two fonts are
  • there may only be a small number of full Unicode fonts which can display all the characters
  • the browser can't easily tell if a particular two characters have the same glyph in a font at all sizes
  • It would be ugly.

    Gerv

Posted by: Gerv at February 19, 2005 07:38 PM

Congratulations to this great interim solution!

Now everyone should be very happy and there is plenty of time to conceive an even better long-term solution.

Posted by: Mozilla Fan at February 21, 2005 09:59 PM

Shouldn't ICANN simply find the domain names that would spoof popular domains and block them from being registered?

-- Brian Bober

Posted by: netdragon at February 22, 2005 09:17 AM

Shouldn't ICANN simply find the domain
names that would spoof popular domains
and block them from being registered?

Please, no! ICANN is already expert at restricting and revoking domain names based on (real or imagined) conflict with domains owned by more powerful people or companies. Don't give them another excuse.

Posted by: Max Hyre at February 22, 2005 03:44 PM

I, living in Eastern Asia, believe this solution is really bad. Changing font is difficult, I understand, but how about colors, font sizes or styles, such as italics? How about showing punycode in tooltip or something at the same time of showing IDN? In this situation, we are not protected from IDN-to-IDN phishing domains because all has some punycode and distingushing phishing punycode domain name from non-phishing one is very much harder than distinguishing phishing IDN from correct one. At least we must see both non-punycode domain name and punycode one at the same time to be sure we are not phished.

Posted by: M.H. at February 28, 2005 10:36 AM

mobile ringtones Hi, I'm French and I love your website, you must have done an hard work to create it and I want to say you that your site is wonderful ! ringtones Thanks for your excellent work and good luck for your next creation ;o)
ringtones mobile

Posted by: pierre at March 1, 2005 10:56 AM