IDN Spoofing Vulnerability

Firewalls, routers, servers, switches, SANs, PBXes, security and related topics
Locked
Chris Vogel
Posts: 5140
Joined: Fri Jan 10, 2003 1:14 am

IDN Spoofing Vulnerability

Post by Chris Vogel »

Using IDNs, or international domain names, a malicious Web site can send material that appears to be from a legitimate source. The problem is that some international characters, such as the Cyrillic “е”, look like other characters. Therefore, someone could make http://www.googlе.com (unregistered), which would lead to a completely different place than http://www.google.com. Both URLs look the same to most of us, but the first uses the Cyrillic “е”, and the second uses the Latin “e”.

Any browser that supports IDN is vulnerable. If you don’t use Internet Explorer, you’re probably vulernable. Isn’t that funny? Internet Explorer fails to support IDN. However, if you do use third-party software to bring IDN support to Internet Explorer, you are vulnerable. Here is a vulnerability test.

The only solution at the moment is to disable IDN. Loss of IDN support won’t matter to most of us because IDNs are so rarely used. If you use an Internet Explorer plug-in that adds IDN support, you can disable it. If you use Firefox, Mozilla, etc., IDN support can be disabled. If it’s possible to disable IDN support in other browsers, please post here.

I think international domain names should be screened before they are registered. However, that may become impractical if IDNs become more popular in the future. Also, I think browsers with IDN support should indicate when a domain name is an international one. Putting a little globe in the address bar or status bar might be a good idea.

Archived topic from Iceteks, old topic ID:3109, old post ID:25413
Top
User avatar
Red Squirrel
Posts: 29209
Joined: Wed Dec 18, 2002 12:14 am
Location: Northern Ontario
Contact:
Contact Red Squirrel

IDN Spoofing Vulnerability

Post by Red Squirrel »

Freaky. Man I can so trick people with that such as saying that google.com is for sale :lol:.

I'll definatly disable it. You'd think those would be considered invalid characters when registering though. I thought it was limited to A-Z 0-9 and the dash. This should be an issue that keeps the UDRP busy. :D

Archived topic from Iceteks, old topic ID:3109, old post ID:25415
Honk if you love Jesus, text if you want to meet Him!
Top
Chris Vogel
Posts: 5140
Joined: Fri Jan 10, 2003 1:14 am

IDN Spoofing Vulnerability

Post by Chris Vogel »

It was limited until very recently. You can see a history of IDN on the IDN page of Wikipedia.

Archived topic from Iceteks, old topic ID:3109, old post ID:25416
Top
Chris Vogel
Posts: 5140
Joined: Fri Jan 10, 2003 1:14 am

IDN Spoofing Vulnerability

Post by Chris Vogel »

Gervase Markham has announced a short-term patch for the IDN issue in the next releases of Firefox and the Mozilla Suite. He had earlier stated that IDN support would be temporarily disabled.

Archived topic from Iceteks, old topic ID:3109, old post ID:25530
Top
Locked

Return to “Networking and Security”