Re: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
On Wed, Feb 09, 2005 at 01:04:53PM -0000, Randal, Phil wrote:
> I've verified that the flaw exists on Windows XP SP2 fully patched IE 6
> with Verisign's plugin from http://www.idnnow.com/index.jsp.
I think it's incorrect to blame browsers for this bug. It's a flaw in
the design of IDN, which was obvious from the very beginning. In Unicode
set there are many characters which look very similar, not only
hex 0430; dec 1072, CYRILLIC SMALL LETTER A
which was used in fake "paypal" example.
The "fixes" proposed so far rely on switching off the IDN support in
browsers, which only confirms, that it's not a bug, it's a feature.
What are IDN-enabled browsers supposed to do, anyway?
Should they display a special warning in case a user enters an IDN
domain name? Or a different "padlock" icon in case of SSL?
People, who legally bought those names would be then treated unfairly.
I think it's up to the browsers' authors to invent some nonobtrusive way
to notify the user, that he/she entered an IDN-enabled site (like a
small icon in the address or status bar; maybe an additional address
bar, which would show the real punycode URL; etc.), but let's not forget
that IDN was invented that way.
Marcin