The spoofing flaw was demonstrated by the Shmoo Group, which used a Unicode link to display www.paypal.com in the address bar of affected browsers, but send users to www.xn--pypal-4ve.com – which then displays “www.paypal.com” in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

The attack can be disabled in Firefox and Mozilla by setting ‘network.enableIDN’ to false in the browser’s configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved.

“This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1,” the Mozilla Foundation said in its advisory. “For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names.”

The Mozilla team said that domain registrars are ignoring ICANN guidelines on IDN, and have developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks.