New Short-Term Patch For IDN-based Spoofing

Darin Fisher, network supremo, has pulled it out of the bag and come up with a less drastic short-term solution to the IDN problem. It has just been checked in for all three upcoming releases. Read about it over in bug 282270, but basically IDN will still work, but all occurrences of IDN domains in the browser UI (URL bar, security info etc.) will be the punycode form. There is a pref to re-enable full IDN – set “network.IDN_show_punycode” to false. As with the previous plan, this preference will be set to true in all official builds.

As I’ve said in previous blogposts, turning off IDN entirely was always an suboptimal solution, and I’m very pleased we’ve managed to find a third way. The search goes on for something better long-term – I’m sure you’ll all agree that, while showing the punycode domain all the time solves the immediate spoofing problem, the fewer browsers out there that do it, the better.

Could I please add a plea that before anyone posts comments on bugs or blogposts suggesting their incredibly simple idea for solving the issue completely, could they please read at least some of the previous posts, bugs, discussions and papers written about the subject? Thanks :-)

18 thoughts on “New Short-Term Patch For IDN-based Spoofing

  1. Gerv, why are all your posts made so late at night? I have two possible scenarios, no doubt there are more:

    A) You are incredibly committed to the Mozilla cause, committing a really commendable effort to it

    B) You are a serial insomniac.

    In either case, please remember to go to sleep occasionally!

  2. It’s because Mozilla is not my day job, and trying to stay on top of this IDN business is taking up ridiculous quantities of my time! :-|

  3. [Sorry for the shameless double posting, since I’ve posted this in your previous IDN spoofing thread before noticing this new update, and then I thought its place was here and not there :) ]

    Why not have, by default, different fonts for different types of characters?

    I’m using Bitstream Vera Sans for my UI, and when I tried that paypal site I noticed the first a was different, not sure if it is because the font itself doesn’t have that character or because it has different a’s. But I had a visual warning.

    Anyway, with the current setup FireFox uses the font set in the OS for the adress bar. If, instead, it would use the fonts in the fonts settings for Firefox, and by default ‘Western’ and ‘Unicode’ were set to be visually different fonts, and finnaly when the user tried to set up the same font for both ‘Western’ and ‘Unicode’ a warning would pop up about the danger.

    Then we would have some visual warning equivalent to passing has Which means, it’s not perfect, sometimes people would miss them, but it would be has easy to spot as payppal.

  4. Why not have, by default, different fonts for different types of characters?

    Because, off the top of my head:

    • the variety fonts available on different systems is very large
    • the browser cannot tell programatically how different a given two fonts are
    • there may only be a small number of full Unicode fonts which can display all the characters
    • the browser can’t easily tell if a particular two characters have the same glyph in a font at all sizes
    • It would be ugly.


  5. Phishing per IDN: Nun doch keine Abschaltung der IDN in Firefox/Mozilla

    Nach den k�rzlich bekannt gewordenen Phishing-Attacken, die die homographische Darstellung von Zeichen in IDNs ausnutzten, wurde die Deaktivierung der IDN-Behandlung im Browser als eine m�gliche L�sung diskutiert.
    Aus der Mozilla-Foundation kommt jetzt

  6. Congratulations to this great interim solution!

    Now everyone should be very happy and there is plenty of time to conceive an even better long-term solution.

  7. Shouldn’t ICANN simply find the domain
    names that would spoof popular domains
    and block them from being registered?

    Please, no! ICANN is already expert at restricting and revoking domain names based on (real or imagined) conflict with domains owned by more powerful people or companies. Don’t give them another excuse.

  8. I, living in Eastern Asia, believe this solution is really bad. Changing font is difficult, I understand, but how about colors, font sizes or styles, such as italics? How about showing punycode in tooltip or something at the same time of showing IDN? In this situation, we are not protected from IDN-to-IDN phishing domains because all has some punycode and distingushing phishing punycode domain name from non-phishing one is very much harder than distinguishing phishing IDN from correct one. At least we must see both non-punycode domain name and punycode one at the same time to be sure we are not phished.

  9. Flame for IDN comments

    I think people somehow misunderstood my previous entry about disabling IDN support in FireFox. It was written right after Mozilla announced they would disable default support for IDN, and before they changed that to just display IDN domains as punycode.