aww

This could become very serious for novices,
apparently international domains (IDN) can be
used to fool initial visual inspection:
demonstration: (I have no association with this site)
http://www.shmoo.com/idn/
Look very carefully at the first "a" in paypal in that demonstration.

In theory this can be blocked at least in Firefox by turning off international domain support (IDN) as a temporary workaround:

mole

Do you know if IE does the same, I looked into my Advanced Options and don't see anything there on IDN.

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

daughterofeve

the site says it works in everything BUT IE... so, lol.. i can't see it XD

__________________
%%-

mole

Well, at least there is one thing Microsoft did right.

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

majinbuu1023

lol just get firefox...I wouldn't wanna block international domains

__________________
WowHumor.net - Funny World of Warcraft Pictures

daughterofeve

lol, I think you got that a little backwards...

__________________
%%-

mole

What so hot about firefox? ... pardon the pun

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

Brian

in firefox support is on by default for these domains, that is what COULD cause the problem. For these sites to work in IE you have to download a plugin for them to work.

This is one thing that IE might actually be better than firefox in. but at least you can turn off support for them in Firefox.
????: NamePros.com http://www.namepros.com/industry-news/68805-spoofing-advisory-on-domain-simulation.html

Regards
Brian

AdoptableDomains

I use both, because there are still some bugs and sites that won't work well in Firefox. However, the tabbed browsing is my favorite feature. For forum reading, I can open each thread in a new browser tab instead of separate IE windows. Much, much easier....

__________________
AdoptableDomains.com ~~~~~Finding Good Homes for Good Names~~~~~
FuelPrices.mobi - Fish.us - ManhattanNewYork.net - Salesmen.info - SoundSystems.org
Dickering.com - JobPlacement.biz - LotteryTickets.ws - Deleted.cc - Names.im - MP3.hn

Anthony

Wait -- what MS did right is not offer support for international characters in URLs? That must be how the company does something 'right'. Yikes!

FusionX

Yeah ... we (read Microsoft) are better because we are technologically backward than the competition.

Funny...

__________________
Search.co.in

mole

Yes, because Microsoft also does email clients and server software, Internet server software... blah, blah. These decisions are not taken lightly.
????: NamePros.com http://www.namepros.com/showthread.php?t=68805

A renegarde like FireFox can just come in and do their own thing and smoke weed without a care for the real world.

Microsoft needs to be a lot more responsible than that. Over 90% of the business world depends on them to ensure seamless compatibility.

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

majinbuu1023

If I turned international domains off..I live in nz so would I be able to get .co.nz domains?

__________________
WowHumor.net - Funny World of Warcraft Pictures

mole

No, all the ccTLDs will stop functioning, including .US

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

www.AmCy.org

I don't use Firefox but that is a great feature; I enjoy using it in Opera.
????: NamePros.com http://www.namepros.com/showthread.php?t=68805

AmCy

__________________

AmCy

Werpon

You mean 90% of the home users; but seamless compatibility is guaranteed by international standards that, by the way, Microsoft manages to get always backwards.

Anthony

That is incorrect. We are talking about turning off support for IDNs, which are domain names with international characters, like letters with hyphens in the URL -- NOT ccTLDs like .co.nz, .co.uk, or .ws!

Bramiozo

Firefox to Disable IDN Support as Phishing Defense

The Mozilla development team said today that it will disable a browser feature that allows URL spoofing and could leave users open to scams. Upcoming releases of the Firefox and Mozilla browsers will turn off support for Internationalized Domain Names (IDN) by default to protect users from the spoofing, which works in current versions of Firefox, Mozilla, Opera and the Safari browser for Macs. The affected browsers support IDN, while Microsoft's Internet Explorer does not.

The spoof exploits flaws in how the browsers interpret Unicode, a broad character set used in IDN that allows URLs to include non-English characters. Unicode can be used to craft "homographic" attacks, in which two different combinations of characters in an HTML link can display the same URL in the browser, but send users to different sites. URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters.
????: NamePros.com http://www.namepros.com/showthread.php?t=68805

The spoofing flaw was demonstrated by the Shmoo Group, which used a Unicode link to display www.paypal.com in the address bar of affected browsers, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," the Mozilla Foundation said in its advisory. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

The Mozilla team said that domain registrars are ignoring ICANN guidelines on IDN, and have developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks.

Posted by richm at February 15, 2005 02:24 PM | Subscribe


http://news.netcraft.com/archives/20...g_defense.html

__________________
:td: I just do it for the money

idntools is now FREE
for sale

mole

__________________
If a man will begin with certainties, he shall end in doubts; but if he will be content to begin with doubts he shall end in certainties. Sir Francis Bacon

Nexus

I think this is horrible. IE is dragging heal for Longhorn, and its lack of support of IDN's is definitely NOT something they "did right", which is how the Netcraft story pitched it. The correct implementation of IDN's is the ONLY "crime" the rest of the browsers are guilty of. Moreover, Verisign STILL shows a plugin for making IDN work on IE too, though I'm not sure if the IE plugin implementation bares the same problems as the native implementations of IDN on other browsers.

With Firefox disabling IDN by default, I think this is a knife in the back of IDN support. The idea that nothing can address the problem quickly safe TURNING IT OFF, seems to imply something highly problematic with the standard. Sad. Baby out with the bathwater.

????: NamePros.com http://www.namepros.com/showthread.php?t=68805
I just posted another issue with .BIZ e-mail users being tarred in order to solve a vBulletin spammer issue that is JUST starting to hit the radar.
http://www.namepros.com/industry-news/71566-vbulletin-porn-spammers-threaten-biz-users.html

I don't like how issues like this make benign standards and technologies suddenly take on the sinister traits of the person(s) exploiting them.

~ Nexus

__________________
FreeWho.com - Free Internet Tools!