Firefox, Opera Updates Address IDN Spoofing

The development teams for Firefox and Opera have updated the browsers to address URL spoofing using Internationalized Domain Names (IDN), allowing users to visit IDN domains but be protected from phishing attacks. The attacks do not affect Microsoft's Internet Explorer, the most widely-used web browser, which does not support IDN names.

Firefox 1.0.1 will display IDNs as punycode in the browser's address bar, allowing users to detect phishing attacks using potentially deceptive uses of IDNs. The new approach can be seen on the original demo demonstrated by the Shmoo Group, which uses a Unicode link to display www.theshmoogroup.com in the status bar of affected browsers, but sent users to www.xn--theshmogroup-bgk.com. The status bar now displays the unspoofed URL:

Firefox 1.0 IDN Spoofing in Forefox 1.0

Firefox 1.0.1 IDN Spoofing in Forefox 1.0.1

Opera has taken a different approach, adopting a "whitelist" of IDNs created through domain registries that "have implemented anti-homographic character policies or otherwise limited the available set of characters to prevent URL spoofing." Opera 8.0 beta 2 also adds an additional anti-phishing measure previously implemented by Firefox, displaying the owner of a site's SSL encryption certificate alongside the "lock" icon that indicates a secure connection:

Opera 8.0b2 with certificate owner ID

The update of Firefox comes less than two weeks after the Mozilla Project turned off IDN support as the default configuration in an effort to protect users from potential spoofing attacks using IDN.

Mozilla's decision had been criticized by the Council of European National Top-Level-Domain Registries (CENTR), which said that turning off IDN support in browsers "is an overly zealous step that will harm public confidence in IDNs - a technology that is desperately needed in the non-English speaking world."

At the time, the Mozilla Group called turning off IDN a necessary step but "obviously an unsatisfactory solution in the long term." At the time, one of the authors of the IDN standard expressed hope that Mozilla would craft a more balanced solution. Paul Hoffman noted that the issue involves "deep, possibly justified, mistrust in the browser developer community. If someone took the lead on doing the right thing (on IDN), others would have to at least respond, if not exactly match what the leader did."

Opera's developers agree that "the IDN problem is not one that can be solved alone, but rather together with other browser vendors, domain name registries, certificate authorities and other members of the Internet community."