IDN Spoofing Vulnerability
Posted: Sat Feb 12, 2005 6:55 pm
Using IDNs, or international domain names, a malicious Web site can send material that appears to be from a legitimate source. The problem is that some international characters, such as the Cyrillic “е”, look like other characters. Therefore, someone could make http://www.googlе.com (unregistered), which would lead to a completely different place than http://www.google.com. Both URLs look the same to most of us, but the first uses the Cyrillic “е”, and the second uses the Latin “e”.
Any browser that supports IDN is vulnerable. If you don’t use Internet Explorer, you’re probably vulernable. Isn’t that funny? Internet Explorer fails to support IDN. However, if you do use third-party software to bring IDN support to Internet Explorer, you are vulnerable. Here is a vulnerability test.
The only solution at the moment is to disable IDN. Loss of IDN support won’t matter to most of us because IDNs are so rarely used. If you use an Internet Explorer plug-in that adds IDN support, you can disable it. If you use Firefox, Mozilla, etc., IDN support can be disabled. If it’s possible to disable IDN support in other browsers, please post here.
I think international domain names should be screened before they are registered. However, that may become impractical if IDNs become more popular in the future. Also, I think browsers with IDN support should indicate when a domain name is an international one. Putting a little globe in the address bar or status bar might be a good idea.
Archived topic from Iceteks, old topic ID:3109, old post ID:25413
Any browser that supports IDN is vulnerable. If you don’t use Internet Explorer, you’re probably vulernable. Isn’t that funny? Internet Explorer fails to support IDN. However, if you do use third-party software to bring IDN support to Internet Explorer, you are vulnerable. Here is a vulnerability test.
The only solution at the moment is to disable IDN. Loss of IDN support won’t matter to most of us because IDNs are so rarely used. If you use an Internet Explorer plug-in that adds IDN support, you can disable it. If you use Firefox, Mozilla, etc., IDN support can be disabled. If it’s possible to disable IDN support in other browsers, please post here.
I think international domain names should be screened before they are registered. However, that may become impractical if IDNs become more popular in the future. Also, I think browsers with IDN support should indicate when a domain name is an international one. Putting a little globe in the address bar or status bar might be a good idea.
Archived topic from Iceteks, old topic ID:3109, old post ID:25413
. 