Mozilla Drops Support for International Domains

tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

Drops?

They've disabled it by default until they come up with a long term solution. That's hardly dropping.

Re:Drops?

[bob65]

No they didn't. They temporarily changed the default. Support for it certainly is still there.

Re:Drops?

They've disabled it by default until they come up with a long term solution.

I think you mean "disabled it until the registrars get their acts together".

Re:Drops?

[tehshen]

Well if you remember back when the bug was announced, disabling the enableIDN flag didn't actually work at all sometimes. At least this is being fixed.

Re:Drops?

[oliana]

too late

Re:Drops?

[Jeff+DeMaagd]

I guess it shows that a monkey can be an editor. I think monkeys take food as currency, so it would be easy for the rest of us to pay them off to accept our ad-story like Roland Pimp'nquialle does.

Re:Drops?

[donothingsuccessfull]

In prefs.js:
user_pref("network.enableIDN", false);
should work.
...now going to try to wash of the stench of karma whore.

Re:Drops?

Why are you attempting to continue this argument? You're obviously wrong, and have been fully exposed as a contrarian pundit. Sheesh.

Re:Drops?

[erroneus]

Yeah, I wanted to say the same thing so I'll just say it here. They will have disabled it in new downloaded versions... I haven't seen a new release yet but I'm sure the next release it will be disabled by default. Hope it comes about soon but for now... I guess I'll have to switch back to MSIE where I *know* I'll be safe from that ONE kind of attack.

Re:Drops?

YOU CAN ENABLE IT IF YOU NEED IT. How fucking hard is that to comprehend?

How would you like a firewall to be introduced as "[OS vendor] is dropping support for inbound IP connections"? It would be WRONG, like this headline.

Re:Drops?

By your logic, Microsoft Word only supports Times New Roman and Windows XP only supports a screen resolution of 800x600.

Please die.

Re:Drops?

[GrenDel+Fuego]

Actually I think it's funny how people are so quick to defend Mozilla and say it's not dropping anything. The grandparent is right to point out that they are indeed dropping support. It doesn't matter if they're temporarily turning it off. They're turning off support. They are dropping default support in future versions of Firefox.

I think what we have here is a terminology conflict here.

Support for computer software can mean "ability to use" (eg. does linux support SCSI hard drives?) or "ability to get help with" (eg. is linux 2.2 still a supported kernel?)

IDN is still supported in that the functionality still exists on mozilla once it is turned on.

It is not supported in that it's known broken, and you use it at your own risk if you enable it.

Re:Drops?

[Plac3bo]

I agree.
The browser still very much supports this feature, but turns it off by default.

IMHO, when I first read "...drops support...", I thought the feature was completely removed from the browser implementation. Obviously, I was very surprised and read more to find that it was really only disabled by default.

Re:Drops?

[null+etc.]

Mod this post up.

Re:Drops?

[Metteyya]

Don't worry, if you want browser supporting it AND turned on by default, I'm sure you should read previous news ;).

Re:Drops?

[aussie_a]

I guess I'll have to switch back to MSIE where I *know* I'll be safe from that ONE kind of attack.

But prone to quite a few other attacks that you aren't prone to in Firefox? That's illogical

Re:Drops?

[Flower]

Yeah. In one instance you get a frontpage article on /. In the other instance you watch your honest, but mundane article languish because it won't generate hits.

Presentation is everything. Even with nerds.

Re:Drops?

[galaxy300]

How 'bout I mod your post down instead?

Re:Drops?

[Rodness]

Now I understand why the Mozilla community consistently blasts Slashdot for "not getting it". Lately it doesn't even seem like the submitters are even bothering to read the articles before they rush to post their mental mucus.

Mozilla has temporarily disabled internationalized domain name handling until they figure out a long term fix. This is not 'dropping' anything. They're not ripping out the IDN code, they're just trying to protect their users while they figure out a fix, and most of the English-speaking world isn't even going to notice a difference anyway.

Re:Drops?

[vperez]

I'm glad people understand sarcasm.

Re:Drops?

[notthe9]

That was the implication.

Re:Drops?

[Myen]

That would work until restarting the browser.

Or if you had Firefox 1.0.1 / Mozilla 1.7.6 (or higher); those aren't actually out yet. They're supposed to be out RSN (apparently shooting for this week or next).

Of course, that's only what I got from reading /. and the Mozilla-related blogs; could be wrong.

Re:Drops?

[xenobyte]

They've disabled it by default until they come up with a long term solution.

That's actually a bad thing to do. One of the many selling points of the Mozilla browsers are their excellent international support (that MSIE so blatantly lacks) and while they're not removing it it's still pretty stupid to leave it disabled because a newbie won't know to enable it when needed and thus may chose another product 'where it works'.

How hard can it be to simply display the decoded URL in the location bar and thus reveal the phishing? - Must be a minor tweak.

The long term solution is also pretty obvious IMHO: Add a simple warning and/or confirmation dialog whenever IDN links are clicked. Allow this dialog to be turned off right there with a checkbox for each individual domain name. Allow the entire dialog to be turned off in the advanced settings (for the expert that want IDN and no bullshit) and the entire IDN system to the turned off (for the paranoid with two layers of tinfoil hats).

Re:Drops?

Lets hope 'disabling' it actually works unlike the current version of mozilla

Re:Drops?

[markhb]

The worst part, perhaps, is that the story says "international domain names", not "internationalized". If you aren't already familiar with the story, it sounds like they'll be dropping support for .uk, .ca, etc.!

Memo to editors: sober up, RTFN, edit accordingly.

Re:Drops?

[markhb]

Memo to self: drink coffee, type RTFA instead of the unintelligible "RTFN", make lame follow-up to self

Re:Drops?

[Bert64]

Only because MSIE doesn't even support this feature atall. It will be interesting to see if IE7 supports this feature...
If you really want to go back to an antiquated browser which doesn't support any of the newer features in which vulnerabilities have been found, may i suggest Mosaic?

Re:Drops?

[Captain_Chaos]

..., and most of the English-speaking world isn't even going to notice a difference anyway.

Which makes it OK?

Re:Drops?

[donothingsuccessfull]

Woops, my mistake.
Sorry for spreading misinformation.
As has been said, use adblock:
http://users.tns.net/~skingery/weblog/2005/02/work around-for-idn-spoofing-issue.html

Re:Drops?

[CreatureComfort]

Don't worry about it. I think most of us are as lazy as I am, and didn't even RTF "N". My eyes see RT.... and automatically interpret RTFA or RTFM as appropriate for the context.

big deal

I don't get it. What's the problem here?

Re:big deal

[sogoodsofarsowhat]

Read the article linked to it and you will quickly see that there is a problem....you can be easily spoofed using IDN and could easily be fooled even when in SSL. RTFA!

Drops?

[Scrameustache]

There's a difference between "drops support" and "sets that option to 'off' by default", you know.

RTF...what?

[Otter]

They're not dropping support for it, they're going to stop enabling it by default. It says that in the text you quoted, for crying out loud!

Re:RTF...what?

[Lisandro]

Seriously, it says it RIGHT THERE. I quote:

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1,"

I found hard to beleive a serious project like Firefox would drop IDNs so easily. It's a huge world, you know.

That's False

[Uruviel]

It will be turned of in the 1.0.1 But for 1.1 and further releases they will look for a more cleaner way to fix the spoofing issue. And thus brining back IDN support. Here is a link to the Mozillazine article: http://www.mozillazine.org/talkback.html?article=6 073

Re:That's False

[Qzukk]

A fix is pretty easy, but requires two parts:
1) Amend the IDN spec to require that valid IDN urls use the lowest-numbered codepoints that match that glyph.
2) Have browsers use a table that identifies all the characters that share a glyph. Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

Of course, this still can't stop people who just refuse to look closely at the URL. The payqal.com domain is taken, who knows what its used for...

Re:That's False

[Leroy_Brown242]

" ... more cleaner ... "

Yikes

Re:That's False

[bedessen]

That's not a link, that's a URL, and it's perverted by slashcode which adds spaces to words that are too long, making it useless for copy and paste.

A link would be something like http://www.mozillazine.org/talkback.html?article=6 073

Re:That's False

[clean_stoner]

The payqal.com domain is taken, who knows what its used for..

Apparently nothing, as if you try to connect to it it times out (so at least nothing public anyway).

Re:That's False

[interiot]

I dunno... when your entire security is dependent on the user being able to notice slight pixel changes on the screen, something seems a little broken...

Re:That's False

[bo-eric]

Or they could just use the Unicode facilities for doing just that, as described in the Unicode Standard Annex #15 - Unicode Normalization Forms... I think it's a good question why the IDN committee didn't do that in the first place. Or why registries allows registrations for domains that are approximately equal to already existing ones.

Re:That's False

[Derek+Pomery]

How about just colouring glyphs in URL bar based upon where they are from?
Or heck, colouring a URL bar, say, red if it includes characters that are either non-ASCII or not in the user's default i18n charset?
Heck, could even have a little warning bar below it similar to how Firefox notes it blocked a pop-up.

Seems this is more just a question of informing the user.

Re:That's False

[Alsee]

Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

Setting aside other issues, I'd say that is very very VERY bad implementation. If the browser is given an invalid address then the browser should not invisibly guess at rewriting it into a valid address. Better to have invalid addresses trigger immediate errors and be killed off / corrected in the first place. It would be an absolute nightmare to encourage impossible to trace down bugs caused by quasi-valid and conflicting addresses that took identical and inexplicably sometimes go to the right place and sometimes don't. Remember, that address may pass through a chain of 14 different programs from different sources potentially in varying orders. Imagine clicking on a pseudo-valid address in an e-mail going through the e-mail program and through spam filter and through a proxy and off to a browser and throgh another proxy then to the local IP stack and then out to the DNS system and back to the local IP stack and through your ISP's proxy and cache and THEN first going out to the website.

At some effectively random point it gets changed into a completely a different address. A different address which looks identical to any human attempting to hunt down a bug. It's worse than looking for an invisible needle in a haystack, you haven't even figured out yet that you're looking for a needle much less an invisible needle.

-

Re:That's False

[JanneM]

1) Amend the IDN spec to require that valid IDN urls use the lowest-numbered codepoints that match that glyph.

"Match the glyph" is a _very_ vague concept - and the degree of visual likeness will depend on the currently chosen fonts. Japanese half-width romaji looks very different from western monospace. Or extremely similar. It all depends on the typefaces you use, your locale and so on.

2) Have browsers use a table that identifies all the characters that share a glyph. Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

But they really don't share a glyph. Mostly, this has already been done when Unicode was defined; in fact, at some codepoints they were overenthusiastic and reused some glyphs they really shouldn't have.

Just because two different glyphs will look very similar with some combination of typefaces (but, note, not with other), it doesn't mean they aren't very different and should be treated like it.

Example: in sans-serifed fonts, I (caiptal "i") and 1 ("one") will tend to look very, very similar. With your suggestion, all "I":s will thus be changed to "1" in registered url:s everywhere.

The problem is rather the opposite, actually. WHen you don't have the real typeface needed, the browser (or font system, really) tries to substitute the missing glyph with something similar, which is a good thing when you try to read text. It can make an URL look different from intended, however. One step of the solution may well be not to accept this kind of substition in URL:s. No idea if you can get this kind of control, though.

Re:That's False

[vendull]

They already do this. All IDN registrations are normalized into form NFKC as specified in UTR #15. But that doesn't solve the problem.

Re:That's False

[spitzak]

Better would be to do a similar identification, but basically refuse to correctly display anything that is incorrect. Just show the &****; syntax or whatever instead. This would solve the phishing problem.

Re:That's False

[hta]

SIGH.
And convince the Russians that when they write text in Russian, they need to write the "C" character in the Latin character set because it looks too much like a Latin C, despite the fact that it's pronounced "S".
And convince the Greeks that they need to rewrite their upper/lowercase conversion to make sure the uppercase Alpha is represented by a Latin uppercase A, but the lowercase alpha gets represented by a greek alpha, because it doesn't look like a Latin lowercase a.
Get real. Homographs are here to stay.

network.enableIDN

[athakur999]

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration

Isn't this the "fix" that everyone found stopped working after you restarted the browser?

Re:network.enableIDN

[mikeophile]

Clear your cache in Tools/Options/Privacy and restart Mozilla. Or go here and try this. /thank BoingBoing

Re:network.enableIDN

[scovetta]

Or use my fix: http://www.scovettalabs.com/advisory/SCL-2005.002. txt in corporate environments (or home use too).

Re:network.enableIDN

Permanent fix: here

Re:network.enableIDN

[gyanesh]

Stays set to false for me

Re:network.enableIDN

Damn. Tampering with a browsers configuration is an act of terrorism and hacking. You can go to prison. With the terrorists. It is un American. damn

Re:network.enableIDN

[OverlordQ]

Like the other poster said, you can edit the one file, or if you have the Adblock extension installed, add

/[^\x20-\xFF]/

to your expression list.

Re:network.enableIDN

[starfishsystems]

If you set it only in the browser session, it will survive as long as the session.

Permanent browser settings for Mozilla and Firefox can be made by editing the configuration file user.js. To set network.enableIDN, add the following line:

user_pref("network.enableIDN", false);

Re:network.enableIDN

[wcrowe]

I'm using Mozilla 1.7 with the same results.

Re:network.enableIDN

[athakur999]

Setting stuff in "about:config" modifies your prefs.js file, which is also a persistent settings file.

Re:network.enableIDN

[athakur999]

Clearing the cache doesn't make setting network.enableIDN to false start working. The compreg.dat method you linked to also is not a permanent fix as that file is recreated everytime you install an extension.

The AdBlock method does work though.

Re:network.enableIDN

[starfishsystems]

No, prefs.js is not persistent.

That's why the file begins with the following text:

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

Persistent changes are made using user.js.

Re:network.enableIDN

[athakur999]

That's talking about making changes to file 'by hand' using an external editor. If you use about:config, the browser itself keeps track of the change and modifies prefs.js according when you close it.

Why don't you give it a try?

Re:network.enableIDN

[ptlis]

On the contrary, it does. At least for me: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0 I closed down all windows, cleared the cache & history, typed about:config into the Address bar, disabled network.enableIDN and then restarted Firefox.

Re:network.enableIDN

[starfishsystems]

I tend to believe Mozilla more than you, that's why.

Especially when you contradict yourself:

Isn't this the "fix" that everyone found stopped working after you restarted the browser?

Re:network.enableIDN

[Big+Diluth]

The fix to tweak "network.enableIDN: did not work for me, even though the change in about:config claimed it was retaining the setting.

I went to the spoof test sites and I was still being spoofed without any hint of a problem.

The Adblock filter works like a charm, follow the instuctions here: http://users.tns.net/~skingery/weblog/2005/02/work around-for-idn-spoofing-issue.html

Re:network.enableIDN

[civilizedINTENSITY]

I just tried the fix as suggested, and restarted Firefox. It is still there.

Re:network.enableIDN

I hate it when programs act that way. When I make a change to config, write to the file RIGHT NOW. I have this problem with winamp, I'll change my playlist, then at some point windows will crash with winamp still open and when I go back winamp has the old playlist again. GRRR, it's not like I'm making 20 changes to the playlist a second and it would be a huge burden to save that file all the time.

Re:network.enableIDN

[Ark42]

That adblock expression will still allow things like:
paypäl.com
paÿpal.com
If you use the regular western windows codepage. Sure its not the EXACT same glyph, but most people might not understand that two little dots above a letter mean anything bad here.

do what ?

How is "turned off my default" the same as "dropped support".

Can we mod the title as flamebait ? :o

Internations

[mboverload]

If you ever go to an international domain name you such be looking out for scams anyway.

Re:Internations

Right, because scams don't happen with .com/.net/.org domains.

Damn, I'll bet those Iraqis and Afghans are to blame! God bless the USA and its honesty.

Re:Internations

[cthrall]

Ahhhh...the point of the scam is a domain name that looks like www.paypal.com in your browser but redirects you to something eeeeevil.

See the pretty demo.

Re:Internations

[Tackhead]

> If you ever go to an international domain name you such be looking out for scams anyway.

No, no, no. IDN's aren't about country codes, they're about special character codings that result in things in your status bar that look like their ASCII equivalent characters, but aren't.

Don't worry, that special site hosted in Christmas Island will continue to resolve just fine. :)

Re:Internations

[coolestdickofall]

You know, if you're not sure about a link, you can always "copy shortcut" and past it in a text editor... It'll tell you the true link..

Re:Internations

My editor supports Unicode, you insensitive clod!

Re:Internations

[zombie-m]

"copy shortcut" eh? That sounds like an IE-ism to me. I think you meant "Copy Link Location"
</nitpick>

Fix it now.

From Chris Smith via BoingBoing

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

Re:Fix it now.

[el_gordo101]

5) Close all instances of Firefox, restart Firefox
6) Go check out the shmoo demo again and notice it works again.

This "fix" only works temporarily. Once you restart the browser, it reverts back to the original behavior.

Re:Fix it now.

1. Type "about:config" in the URL bar, then scroll down to network:enableIDN -> double-click and set to false;

2. Go to "Tools" -> "Privacy" and clear the cache;

3. Then restart Firefox. You are now protected.

Clearing the cache is a mandatory step.

Re:Fix it now.

[Neurowiz]

Nope. Did exactly that. about:config, clear cache, restart Firefox, test at secuna - wham. The spoof still works.

The Adblock method of stopping this (mentioned earlier) is a nice workaround. Adblock has become quite a useful tool.

Re:Fix it now.

[ozbird]

Don't scroll - simply type "IDN" in the Filter box, and it's the only option displayed.

Re:Fix it now.

the second work around is better. Using adblock..
http://users.tns.net/%7Eskingery/weblog /2005/02/wo rkaround-for-idn-spoofing-issue.html

Re:Fix it now.

[Anonymous+Custard]

The adblock method doesn't work either...

Re:Fix it now.

[BroadwayBlue]

The correct fix, as posted at mozillazine forums:

Workaround This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (Common profile locations).

Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line.

Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.

Re:Fix it now.

Did you remember to check site blocking under Adblock options? Worked for me after doing that.

Re:Fix it now.

[Country_hacker]

Did you make sure to check the 'Site Blocking' option in Adblock options? I missed that step (as did the author of the instructions. After I made sure the option was checked it worked great.

Re:Fix it now.

[Fourmica]

It still doesn't work. I've tried this on multiple systems.

The best solution I have found, in the meantime, is to use SpoofStick which now has IDN spoofing detection capabilities.

Re:Fix it now.

this fix works fine on my machine.
I've restarted Firefox everyday for a week and it has not reverted.

Re:Fix it now.

[Anonymous+Custard]

Checking the 'Site Blocking' option in Adblock options worked perfectly. Now when I try to click that secunia link it just doesn't do anything. Same if I try to paste that pseudo-paypal link into the address bar and hit enter.

Sensationalism, Anyone?

[paenguin]

How does "Turned Off by Default" get to be equal to "Drops Support"?

A leaf falls from a tree and the next thing you know, the sky is falling.

It is good...

[Jpunkroman]

It is good that after all the media news about Firefox actually having a security issue that the team moved to correct it, even if very short term. Unfortunetly I don't think this will get as much media coverage as the previous stories on it, but it is a step in the right direction. So, at least we don't have to wait for a fix, they will disable the issue, fix it, then reinable it. Sounds like good software development to me.

NOOOOOO!!

Not .cx!!?!? Don't drop support for .cx!!!

Re:NOOOOOO!!

[northcat]

No, it's not dropping support for country specific TLDs (did i use the right term?). .cx, .us, .de etc., will all work. It disabled support for Internationalized domain names. Internationalized domain names are domain names with characters from non-english languages. http://www.verisign.com/products-services/naming-a nd-directory-services/naming-services/internationa lized-domain-names/index.html. IE doesn't support this too. It's all in TFA.

Re:NOOOOOO!!

[jk0]

Don't worry, goatse and friends are still availible from mirrors.

Re:NOOOOOO!!

If that's what you see when you look in a mirror...

Re:NOOOOOO!!

[jk0]

noyuo

Re:NOOOOOO!!

[DNS-and-BIND]

Or, as a last resort, run the Goatse Rescue Floppy. As the website states:

"Goatse Rescue Floppy is an useful tool to keep in your pocket at all times. You'll be able to show the infamous jpg on basically any IBM-PC compatible computer with a floppy drive (or, in extreme cases you can use the CD-ROM drive)."

Simple answer...

[andreMA]

Wouldn't rendering the characters in question as black-on-red in the status and location bar be a more effective solution? Or the entire background changes to red to warn the user that the characters they can read aren't the "actual" characters in the domain name?

Re:Simple answer...

[arkanes]

"For every problem, there is one solution which is simple, obvious, and wrong."

Pretend for a moment that you live in Japan, or Russia, and you actually use websites that use these IDN characters.

Re:Simple answer...

Um... presumably in the international language these *are* the characters in question...

They just happen to look like English letters.

Re:Simple answer...

No. consider cases where 1 in 4 japanese domain names are IDN. so as a user you're going to see these things constantly and ignore them because they're meaningless and common.

Re:Simple answer...

[MP3Chuck]

In Soviet Russia, IDN ... nah, too easy. :D

Re:Simple answer...

That way colourblind people (like myself) will have absolutely no idea what site they are visiting. (Black on Red or Red on Black is just completely invisible to me)

Re:Simple answer...

[RealAlaskan]

Pretend for a moment that you live in Japan, or Russia, and you actually use websites that use these IDN characters.

Pretend, also, that you occasionally use paypal.com. Wouldn't you like to see that the background changes from the familiar red to a soothing white for the real paypal link?

Making the colors configurable (maybe via two simple options: ``I regularly use IDN.'' and ``I don't usually use IDN.'') would take away most of the remaining objections.

``Simple and obvious'' does not mean ``wrong''.

Re:Simple answer...

My monitor is amber. I don't have color. How will this work for me?

Re:Simple answer...

[Kwil]

If I'm pretending I'm in Russia, I can't pretend I'm using paypal.

The two are mutually exclusive.

Re:Simple answer...

[drew]

ok, then how about any character that is not in the same unicode range as the first character of the url be rendered in a different color. for urls that are all latin, al cyrillic, all chinese, etc, things will work perfectly normal. for any url that mixes the characters, there will be a visual cue that something is not right.

Re:Simple answer...

[Mr+Guy]

The same way you get other highlighted fields - you'd see a grayscale box around a letter.

Something along the lines of www.pay[p]al.com. Preferably with a tool tip that explains what the color means on hover.

Re:Simple answer...

[spectecjr]

My monitor is amber. I don't have color. How will this work for me?

Simple: you can't run Mozilla on an IBM XT anyway, so it doesn't affect you.

Re:Simple answer...

No they aren't. You can just pretend Paypal works with Russia too.

Re:Simple answer...

[mysidia]

What about folks who are colourblind or use
monochrome or 2-colour displays?

Re:Simple answer...

[andreMA]

Ideally, I guess, there would be a user preference to choose between several possible ways of making it obvious, ranging from colors as I suggested, bolding the IDN characters, emitting a distinctive sound when you initially enter such a domain, displaying in icon in the location and/or status bar, etc.

Or even an option (not default, presumably) to turn the warnings off.

Re:Simple answer...

[PenguiN42]

"For every problem, there is one solution which is simple, obvious, and wrong."

Pretend for a moment that you live in Japan, or Russia, and you actually use websites that use these IDN characters.

So what? So the IDN URLs you go to are printed in a different color scheme. It doesn't hurt usability. But when you go to "paypal.com" and notice that the "a" is in a different color scheme than all the other characters, then you know something is up!

Of course there's the question of accessibility when you use a visual cue. Also black and white text only browsers, etc...

Re:Simple answer...

[Cyberax]

I've never seen a Russian site using IDN (I live in Russia).

Though I have seen one Japanese site with IDN before (can't remember its URL though, hieroglyphs drive me crazy :) ).

Temporary fix does not work..

[slashkitty]

This was discussed before, but the temporary fix, of setting it to off, doesn't work in current versions. Apperently the setting wasn't reloaded when the browser was restarted. I hope they fix that as well. In the mean time, please do NOT recommend the temporary fix to people, because it makes them think they are safe when they are not!

Re:Temporary fix does not work..

[tgd]

Considering this has been a known "exploit" for several years and its not widely used, people are no less safe now than they were a month ago or a year ago.

There's a difference between being unsafe and having a greater risk exposure. If you have safe browsing habits, you are still safe regardless of the added risk exposure from a minor issue being hyped up by Slashdot, even though that issue was known at the time internationalized domain standards were being created, and even though it was hyped up on here a year or two ago.

Plus the fix worked fine here, not sure why some people are seeing problem with it.

Re:Temporary fix does not work..

fix

Re:Temporary fix does not work..

[Red_Winestain]

It is slightly more dangerous than the parent implies (at least on Firefox 1.0 with MacOS X 10.3.8)

Just tried it: network.enableIDN remained set at false. Then went to the test page at secunia.com and it was clearly set to true. Went back to about:config, and it still says false, even though it has to be true.

So, don't be misled by the setting status.

Re:Temporary fix does not work..

No..a it will work. If you do it corrently (something to do with cache, was posted before)

Re:Temporary fix does not work..

Only if you don't apply the complete fix.
Please don't post this shit before reading how to apply the fix correctly (so that it will stick)

Re:Temporary fix does not work..

[Alsee]

It does work, your broswer did NOT go to the bogus Paypal website. What you were actually seeing was a local page recalled from your browser cache.

Clear the cache or try going to a different bogus website and you'll find the fix does work.

-

Re:Mozilla is an American project

What's this "international" thing people keep talking about?

It's where you go to fight wars.

netcraft confirms it...

support for international domains is dying

Re:netcraft confirms it...

You misspelled dead.

OUtstanding! Smart defaults

[redelm]

I have always maintained that one of the keys to powerful software is carefully chosen defaults. Otherwise, there simply is too much for the user to learn before they see the value in learning it.

Perhaps some of the international versions of Mozilla will have Int'l name _enabled_ by default. A quick peek at $CHARSET would do.

Extension

[mboverload]

I assume there will be an extension to do this shortly. I'm too lazy plus I have to do this on a few computers. It would be better if I could load it on a USB stick and go around installing it instead of editing some file.

Re:Extension

It's SO much easier to do the about:config fix than to install an extension.

So does this mean...

[The+One+and+Only]

International domains are dying, and Netcraft confirms it?

Correction

[Stiletto]

The submitter SHOULD have mentioned that Mozilla has decided to disable internationalIZED domain names, ones made of "funny" unicode characters.

International domain names like .uk .au, and our favorite, .cx, are of course still supported.

Re:Correction

[legirons]

"International domain names like .uk .au, and our favorite, .cx, are of course still supported."

The UK domain isn't international - it's only used by sites in the UK.

Re:Correction

[tehshen]

Actually, my favourite is the Cook Islands, because then we can have .co.ck

Re:Correction

[ari_j]

The UK domain isn't international - it's only used by sites in the UK.

You promise me that there are absolutely zero *.uk domains that resolve to the IP of a host that is anywhere outside of the United Kingdom?

Re:Correction

International domain names like .uk .au, and our favorite, .cx, are of course still supported.

Bloody Yank. .au and .cx are not international domain names. .com, .net and .org are international domain names.

(Technically .uk is an international domain name because England, Wales, etc are all nations, although the U.K. is the country.

Re:Correction

[MicroBerto]

I wouldn't have cared if I could no longer get to .cx anyway... not since they banned my home page!

Re:Correction

trashbat.co.ck :)

Chris Morris rules

Re:Correction

[Bronster]

Given that my employer has offices in Australia and servers in the US of A but owns two .uk domains (I know that plenty well enough from having to renew them recently - what's with .uk domain registrars and complex manual processes for single year only registration, sheesh).

Parent of parent lives in fantasy world.

Re:Correction

[legirons]

"Parent of parent lives in fantasy world."

Damn right.

And as to nominet, they're a beaurocracy like any other. If it makes their organisation larger, they'll do it.

Ummm... No

[maggeth]

IDN will be disabled by default in the upcoming releases from this current trunk freeze (Firefox 1.0.1, Thunderbird 1.0.1, Mozilla 1.7.6) but it has been explicitly said many times if you bothered to look on planet.mozilla.org that a permanent solution for this problem is upcoming and hopefully will make it into Firefox 1.1. Users will be able to change this setting (with an extention and a warning dialog that explains the situation) and this should be included with most of the internationalized builds.

Saying that Mozilla has dropped support for IDN is completely wrong.

Honest question

[the+pickle]

Has anyone actually seen a legitimate IDN in the wild?

With most of the phishing scams targeted at English-speaking users, I don't see this as such a horrible decision.

p

Re:Honest question

[Troed]

Yes, I own one. Instead of dropping support for them more programs should start to include support for them. Not everyone is please with the relatively small amount of characters in the English alphabet you know.

Mail to my IDN domain still fails long before they reach my server, and the website cannot be reached with IE unless people install a plugin.

Re:Honest question

Yes, There are plenty, especially in Sweden and northern Europe. Take for example vävtak.se.

Anyway. I think this solution is truly bad. IDN is a fundamental change we need to the internet. Not only to incorporate local languages on to the Internet, but also to increase the number of available choices.

Disabling IDN is really bad. Instead, as suggested by someone else here, the registrars should prevent/ban addresses that will look the same on screen as existing ones.

In fact, couldn't Mozilla instead do a simple test and see if the domain name exists without the hidden characters. If it does then it should warn the user about it.

Re:Honest question

[SmokeHalo]

Has anyone actually seen a legitimate IDN in the wild?

I did once, when I was out hiking in the Appalachians. It ran off before I could photograph it.

Re:Honest question

Disabling IDN is really bad. Instead, as suggested by someone else here, the registrars should prevent/ban addresses that will look the same on screen as existing ones.

I disagree; while broad language support is generally a good thing, it is hopelessly bad for what need to be globally unique identifiers. Remember, people are actively trying to break the system with the goal of fraud and deception. It must stay as simple as possible.

Fixing this is not a task for registrars. Similarity to existing names/glyphs is a function of font, which varies from application to application. And even among legitimately different glyphs, there might be enough similarity to fool the insufficiently suspicious. There are so many languages, and so many symbols, that users can't possibly be expected to even recognize the warning signs.

Re:Honest question

[gclef]

Relying on the registrars to police this is asking for failure. How do you decide which overlaps are allowed? Do they only look for well known ones (well known to whom)? Ones that pay for the service? Any overlap?

The brutal fact is, punycode is poorly designed. I agree that internationalized domain names are a good thing...but pure punycode is not the way to do it. Until we have a good way to handle the problems that punycode's design brings up, we should disable it by default. Once we have a handle on it, and agreement on what the standards are, then turning it back on by default is a reasonable step.

</security curmudgeon >

Re:Honest question

[gfody]

IDN is a fundamental change we need to the internet. Not only to incorporate local languages on to the Internet, but also to increase the number of available choices.

horseshit. vävtak.com should take me to the same place as vavtek.com

increasing the available choices does not solve any problems. we already have pc-club.com != pcclub.com != pcclub.net .. when you give somebody a web address over the phone you explicitly announce dashes or all-one-word because everyone knows about these rediculous ambiguities. do you want to make them case-sensitive too? then we'd have tons of available domains!

adding more characters to uniquely identify an address just makes this problem so much worse (its the same problem that we've always had, just now with IDN it's simply unacceptable).

I really think DNS needs to be revised to enforce a unique constraint on a filter of the address. for instance if some-place.com, s0me-place.com, someplace.com and smeplace.com all took you to the same place because they are in fact the same.. what a concept

DNS is not user-friendly! DNS was originally engineered nobody anticipated billions of queries a day typed directly in from users!

Re:Honest question

horseshit. vävtak.com should take me to the same place as vavtek.com

NO! Why should it? ä is not the same letter as a (at least not in swedish and other north european countries)

a != ä != å
o != ö

/AC

Re:Honest question

[gfody]

a isn't different enough from ä or å to justify taking me to an entirely different website if I typed in aol äol or åol.com

how much sense does it make to have
aol, äöl, åol, aöl, äol, åöl
all goto different sites???

aol has to register all 6, .com .net and .org
18 domains total just to keep some punk from scamming people with his similar domain.. you shouldn't have to afford to register all of those (assuming they aren't already registered) just because of our DNS system that wasn't designed for what we use it for.

Re:Honest question

[AndrewRUK]

I really think DNS needs to be revised to enforce a unique constraint on a filter of the address. for instance if some-place.com, s0me-place.com, someplace.com and smeplace.com all took you to the same place because they are in fact the same..

How far would you go? Is someplaice.com (for all your flat fish needs) allowed?
What about sameplace.com, which is no less similar to smeplace.com than someplace.com is. (And therefore, by your argument, is the same as someplace.com)
What about someplace.net (and all the variations of someplace in .net, too)? The "same" names in .co.uk? .us? .de? The rest of the 258 TLDs?

Re:Honest question

[gfody]

its just that DNS was never meant to be the universal name server for an internet population the size of todays.

the ambiguousness of tld's is already annoying enough. throw in upper ascii characters and its a nightmare.

there should be one uniquely identifying value, idealy with no dashes dots or anything. ie: "gordyspage" from there, add the display names: "gordys page" "gordy's page" etc. any common typo's godry grody paeg these could be automatically generated.

so you basically have a one to many relationship back to gordyspage which pulls up the correct site.

if someone else registered "gordonspage" and used the same aliases I did then those aliases would now provide a many to many relationship that could return the list of sites using them. probably along with a short description to further differentiate each other.

there's no reason to build a dns system like this now though cuz people are going to just stop using dns directly. a lot of people I see typing addresses into google instead of the address bar. I used to think it was because they didn't know where to type but really it just works better that way.

Re:Honest question

Well, the fact is that in the Scandinavian languages, they really are considered different letters, and there are plenty of words where ä versus a changes the meaning completely. I wouldn't mind if your proposal was taken as a rule, but I'm sure there are organizations out there, with such small differences in their names.

Re:Honest question

[mdroid]

One example is the Swedish municipalities Habo and Håbo http://www.habo.se/ ...

Re:Drops support for..

yousa moran

Isn't there a way to...

prevent the "phishy" domain names to get registered? There must be something that can be done by the registering companies!!
Firefox users may be safer from now on :p, but what about all those poor non-Firefox users?

Re:How about selective INT Domain Filtering?

[PurpleFloyd]

This isn't about turning off domains like .kr. Rather, it's about turning off Unicode support in domain names - currently, in browsers which support IDN, it's possible to send someone to a URL which looks like "https://www.paypal.com" but really has a letter replaced with a non-English Unicode character which looks the same. This deactivation turns off support for Unicode domain names, not national domains.

Drops?

[Black+Parrot]

I see that two other people have used this subject line, so I guess it must be the next big "fp" kind of thingy, and I just want to get in on it before everybody starts doing it.

Re:Who uses Firefox/Mozilla anyways?

Indeed. Not many. :)

hmph

[miruku]

have they not read this?

Re:hmph

[Myen]

Yes they have. Or at least somebody working for MoFo has.

Re:hmph

[rsborg]

have they not read this?

You know, I read what that guy had to say... and I don't get one of the decisions made. If mixing languages and character sets causes such problems (as two sites having the same "look" but not being the same site)... simple things like phishing are tip of the iceberg. What happens when you have two legitimate sites that are vying for a popular "name", but one is IDN and the other is not? (ie, stupid example: ebay.com vs. ébay.com... some guy with that last name)?

I think the whole idea of a mixed character set is stupid and should be reconsidered. Sure, allow those who use cyrillic characters to use them... but FULLY. No western characters allowed in the string, so no namespace pollution. People aren't going to pay attention to a blinking site icon or some stupid thing. What is needed is to not allow pollution of the namespace by merging two seperate character sets when the need for that is totally bogus.

Re:hmph

[TuringTest]

FTFL (follof the f* link). There ARE legitimate uses for mixed character sets. You don't need them because your native language is english, I presume?

Re:hmph

[Troed]

No western characters allowed in the string

The Swedish alphabet is exactly the same as the English, up until our three extra characters. Are you seriously suggesting that we either never use those characters in domain names (why not?) or that we're ONLY allowed to use domainnames consisting of those three characters only?

You don't really know what people use IDN for at all, right?

Re:hmph

[dhakk]

Great link, and the link author is certainly an expert on the matter. That being said, I'm not sure I would expect my parents/relatives to look for a non-standard IDN logo... so the spoofing problem would still exist.

His hover+IDN logo idea has merit, but I think either all the browsers would have to agree. If we're not counting on that, it would need to be something a bit more audacious (I know, I know, the link author didn't want anything too ugly). Why not have user-controllable background colors for each character set? You could default to make it so that (ahhh good to be english speaking) english has white background color and each other set has its own. That would make my parents think twice when going to paypal.com with the a having bright red background color.

Perhaps a localization pack could make it so that a particular language's main character-set's background would be white? But that's just thinking...

Re:hmph

What, you need more than three characters? Jeez, computers only have two, and they get by somehow. Whiner.

Re:hmph

This is like ActiveX - great idea in theory but absolutely crap in practice. Until the proponents can make it safe for Grandma to avoid being phished by minor pixel differences it's dead. Just because there are legitimate uses doesn't make it safe to use. You want to use it *you* make it safe.

Re:hmph

[Psychic+Burrito]

The author of this article contradicts himself:

First, he says that there are two bad way, among them "Make IDN resolution obnoxious so that users pay attention to it".

And then, he suggests a hover-over pop-up that will show up way too often for e.g. japanese users, making it extreeemely obnoxious.

More proof that there is no easy solution.

Add to that problem other hiccups like "IDN it won't enable with other parts of urls, like first level, third level or directory structures", and you can clearly see that the best thing would be to redesign the whole thing and start anew. And by the way, this comment comes from a native german speaker that would profit from those idn umlauts, too.

Re:hmph

[TuringTest]

Until the proponents can make it safe for Grandma to avoid being phished by minor pixel differences it's dead.
And so, that is exactly what is proposed in the article that was linked in the previous comment.

Average user

[mboverload]

The average user who would fall for one of these scams (clicking on a paypal or citi bank link) is not going to be smart enough to edit some "strange file" in a "strange place" with "strange contents".

Re:Average user

[irokitt]

The average user... is not going to be smart enough to edit some "strange file" in a "strange place" with "strange contents".

That's why they are dropping the support by default, but people who want support for internationalized domain names (usually more experienced users, not the AOL set) can edit about:config. Mozilla isn't asking inexperienced users to edit strange things, they're making it so they don't have to.

Editors?

[Space_Soldier]

Doesn't Slashdot have editors that are supposed to analyze and edit user postings. "Dropping" and "disabling" mean two different actions. I got confused for a second or two. Lately, Slashdot quality has been going down the tubes.

Re:Editors?

[ari_j]

Lately? This has been ongoing (or maybe complete) for years. The user submissions are either really bad as a whole or poorly selected by the editors to reflect only the low-quality posts we actually see, and then the editors further frustrate the readership by neglecting to do any editing at all, much less fact-checking.

The least they could do is read the story and decide whether the story is accurate and whether the submission accurately reflects its content. If an editor can't decide one or both of those questions, then that editor should not post the story and some other editor who can understand the subject matter can take it up.

Re:Editors?

[SmokeHalo]

I know this is OT, but when I was scanning your post it looked like you wrote "analyze user droppings".

Re:Editors?

[shark72]

" Doesn't Slashdot have editors that are supposed to analyze and edit user postings."

This is often deliberate. Slashdot editors often choose words that are sensational and inflamatory. Accuracy takes a back seat in these cases.

"Lately, Slashdot quality has been going down the tubes."

My recollection is that Slashdot has always had this quality. One way in which Slashdot has changed lately is the epidemic of those "free iPod" pyramid schemes. I can't imagine that people find it worth the effort to sign up friends (or even strangers) into a pyramid scheme when scam-free iPods are readily available at the local retailer. $299 isn't a lot, really -- even if you make only $15 an hour, that's just 20 hours of work, and you don't have to annoy anybody in the process.

"Do you want a free iPod? You can have one here [freeipods.com]."

Case in point.

Re:Editors?

[SEE]

Snort.

"Lately, Slashdot quality has been going down the tubes." Moderated insightful.

I'd say moderation quality has lately been going down the tubes, but my defintion of "lately" would be "since the expansion past 400-odd moderators" . . .

Re:Spaces in URLs

Dude, you're going to be waiting a loooong time...

Oh no...

If Christmas Island's domain is blocked I'm switching back to IE6!

If they really wanted to make us safe

They would drop support for IP. I hear this internet protocol has a gaping hole where your address is broadcast TO THE WORLD! Unbelievable but true.

Re:Those dirty foreigners

In Soviet Russia, dirty foreigner is you

Re:Spaces in URLs

[GrAfFiT]

Then how are you going to algorithmicaly delimit an URL ? Remember that your computer doesn't understand what you tell him. As for the %20 issue it's the same problem. You can't use a space to both separate arguments with it and use it in your arguments.
I don't want to end with some XML style tagging just to use spaces in addresses...

network.enableIDN

I have set this to false in Firefox 1.0 and the spoof still works.

http://secunia.com/multiple_browsers_idn_spoofing_ test/

That's International_ized_ Domain Names

[braney]

There is a difference. They're not disabling something.ch, foobar.uk, etc. but addresses with unicode characters in them.

Re:That's International_ized_ Domain Names

[braney]

Yes, I know it's redundant. But I promise, when I started writing my comment, no one had said it yet!

You have to be lightning fast around here...

Maybe I shouldn't preview?

Re:That's International_ized_ Domain Names

[Headw1nd]

I feel your pain - how do so many long-winded comments spawn so quickly? Twenty minutes and the topic is washed up. I can only assume it's all a trick to get you to buy the subscription.

Re:Spaces in URLs

Do you really see this as a serious issue? I think the right thing is to prevent spaces from being used. When there is more than one way of doing things, you end up with more problems. If the spec had been changed 10 years ago, that would be one thing, but now everyone is used to no spaces being allowed. I know it wouldn't be hard to maintain backwards compatibility if the spec were changed, but this is something that can be handled entirely on the client side without changing the spec at all.

Make IDNs more obvious

[Mr.+Sketch]

Why don't they just make it obvious you're visiting an IDN? Similar to how they handle SSL sites, the location bar background turns yellow. Maybe for IDNs, they can make it red and flashing or something similar, so it's obvious to the user that something may be wrong. Maybe they could check and see if there is an equivalent looking domain name in english and then making it red and flashing to let the user know that it may not be the site they think they're visiting.

There just seems to be other ways to handle it, since it really is more of a 'user beware' issue.

Re:Make IDNs more obvious

[Eivind]

That does not help. It assumes that visiting a IDN site is something "rare" something you do only occasionally, something you do *not* do daily and certainly never do you trust an IDN site.

It helps not at all if my bank is a Norwegian IDN-site and I get phished with some IDN-site. Both look identical in the adress-bar, both have the idn-yellow-background on the status-bar. How am I supposed to know which one is which.

Oh, and making them red and flashing, that'll go over real well with those of us that do *not* live in englisch-speaking countries (i.e. most of us)

Re:Make IDNs more obvious

[Lehk228]

the correct solution is to fix the IDN spec to not allow multi-charset domains (probably allowing the tld to differ from the rest, or even allow foo.bar.com to have foo a differant sets in foo and bar but never allowing contiguous blocks of characters to use more than one set.)

Re:Make IDNs more obvious

There just isn't any fix of this sort that actually works.

The official position of the people behind IDN (mostly domain registrars, speculators etc. but also a few genuinely well meaning people who thought they were doing some in the name of global unity) was that registries would do extensive anti-spoof checking.

Of course actually doing such checks would cost money, which would intefere with profitability, so instead outfits like Verisign said that they "hoped" people people wouldn't take advantage of their lax security to steal all your money. So if you happen to be a lawsuit-happy American, set your weasels on Versign. They're the people who issued the domain used to test this vulnerability, which appears to be "paypal" but is actually a spoof. They've issued dozens, probably hundreds by now of similar fakes, and make a lot of money from each one.

There are only 36 latin glyphs to learn (including the "arabic" numerals), and you need only be able to distinguish them from one another well enough to rememble squiggles for important sites. Adding a further thousand, ten thousand, or hundred thousand confusing squiggles in the name of "improved accessibility" is one of the hilarious mistakes made by people who can't tell the difference between "politically correct" and "totally stupid". None of the serious user error/ spoofing/ fraud problems were fixed in this standard, because they weren't fixable. Now that this is public knowledge, my guess is that IDN is as good as dead.

Re:mmmm.....pita

That's just UnAmerican. In so many ways!

yEAH!

[Prince+Vegeta+SSJ4]

Microsoft announces that it supports all 65535 ports on your 'puter. They also support Gator and Doubleclick.

ba da bing

Re:OUtstanding! Smart defaults

peek $CHARSET, find "UTF8", conclude, what precisely?

IDNC3

[StarDrifter]

D. J. Bernstein (djbdns, qmail, ...) saw this problem coming back in 2002. He proposed an alternative to IDNA called IDNC3 which he claimed wouldn't cause this kind of mess. Looks like nobody listened to him though.

Re:IDNC3

[Neuroelectronic]

I thought they fixed this already. Wasn't there a new build released like 12 hours after the fact, that fixed this problem? I disabled the IDN support and then installed the new build, and it was re-enabled.

Re:IDNC3

[evilviper]

DJB is hardly a prophet. He predicted that new (greek) characters that looked like ASCII characters could be used to make an alternate URL that looks like it is legitimate. Big whoop. Anyone with a double-digit IQ and any grasp of the internet could have predicted the problem long before 2002. Back when I was signing on to Compuserve on a 286 running DOS, I could have told you that the rendering different characters similarly would pose problems with site verification.

The solution, however, is not to eliminate the number 1, or the letter L from our keyboards, but to use decent FONTS in our web browsers. I generally use Bitstream Vera Sans, which does a fair job of differentiating between similar characters. An ever better solution would be for fonts to appear in different COLORS. If all numbers in URLs appeared BLUE, while all letters appeared GREEN, and all foreign characters appeared RED, you couldn't possibly confuse them. Most governments have figured this out decades ago, and design their currency in this way.

Even fixing this will only stop the current wave of tricks. The underlying problem is that the internet (and computers in general) is just pieced together from spare parts. Things like SSL are just added on-top, and you're lucky Netscape programmers were even smart enough to put a Lock icon in the browser.

These issues are everywhere, and just waiting to be exploited. I heard from someone, not long ago, that installed SSH and connected to a server, and noticed that his data was being transfered in clear-text. Now, the problem was just that the client and server couldn't agree on a mutual protocol, other than null, but the real problem is the lack of communication from the lower-levels of the program, to the user. OpenSSH has simply removed the NULL cipher for reasons such as this, but that's just another quick fix that doesn't really solve the problem, and will come back to haunt us in a few years.

All this stuff NEEDS to be re-designed to be robust, and I don't mean handling strange errors behind the scenes, without telling the user. We lack the fundamental system design needed to put together a solid system from the ground-up, rather than piecing hacks on top of programs to temporarily eliminate the most common flaws that are exploiting fundamentally poor designs.

Re:IDNC3

[snorklewacker]

> Looks like nobody listened to him though.

To the defense of ... well, everyone but DJB, he doesn't exactly make people want to listen to him. Given his manner and his licenses, the conclusion of even cold rational business-oriented security folks is that if they borrow djb's ideas elsewhere, he'll turn around and sue them for IP violations simply out of spite.

At any rate, his proposal for IDNC3 simply seems to be "just switch to UTF8, let everything break, and when it goes live, disallow any characters that are 'risky'". This is what we in the industry call a handwave. I'm not a fan of punycode either, but it addresses a problem that raw UTF8 precisely doesn't. There's simply nothing to his proposal at all.

Re:IDNC3

[millwall]

An ever better solution would be for fonts to appear in different COLORS.

Ahem, *cough* colour blind *cough*

Re:IDNC3

[Logi]

If all numbers in URLs appeared BLUE, while all letters appeared GREEN, and all foreign characters appeared RED, you couldn't possibly confuse them.

Much of the world would then have their text in a seizure inducing red/green pattern. That's not really a solution.

Also, I'm going to take this oportunity, as someone who spends a lot of time fixing American programmers' stupid character encoding code to declare that you guys suck. Thank you for your time.

Re:IDNC3

If all numbers in URLs appeared BLUE, while all letters appeared GREEN, and all foreign characters appeared RED, you couldn't possibly confuse them.

Much of the world would then have their text in a seizure inducing red/green pattern. That's not really a solution."

Those domains would sell like hot cakes around Christmas!

Re:IDNC3

[Flower]

Substitute colors with changes in font. Numbers bold and IDN in italics with a larger font. Or something like that. Making it friendly for the International community is a seperate problem. People have already suggested having the program pull user settings and adapt to that.

Heck, you could have all of these options and turn the URL into a pulsing rainbow. As long as it readily identifies the mixed character set. IMHO, this problem won't have a solution that will make everyone happy. The question is there a solution that everyone can live with?

Re:IDNC3

[D.+J.+Bernstein]

``Let everything break, and when it goes live, disallow any characters that are 'risky' ''---No, you have the situation completely backwards. My IDNC3 proposal would never have allowed registration of any characters in domain names except characters specifically designated as being safe. If you read the discussion of six design issues in my original proposal then you'll see this important prohibition emphasized in four of them. The security problem that Firefox is now dealing with is one of those four issues.

Incidentally, there's no obstacle to Firefox adding IDNC3 support. If the user types a non-ASCII URL, Firefox can't simultaneously treat it as both broken-IDN and IDNC3, but the whole discussion here is prompted by Firefox turning off broken-IDN by default.

Re:IDNC3

[evilviper]

Ahem, *cough* colour blind *cough*

I know a few color-blind people, myself, and at the very least, they are all at least able to recognize that there is a color difference between different-primary color objects next to each other.

That's all you need, as it would be near impossible to make-up an english-looking URL entirely from foreign characters, or entirely from numbers.

Re:IDNC3

[evilviper]

Much of the world would then have their text in a seizure inducing red/green pattern. That's not really a solution.

That color-scheme was just an example. In addition, it's not going to be much of an annoyance when it's just for the URL, perhaps the status bar on hover, and URLs in the body. Other than that, normal font colors would be fine.

Better Way

would be to have international domain names show up in red and regular ascii show up in blue.

Re:How about selective INT Domain Filtering?

[ghoti]

No, that's called censorship. And it wouldn't solve anything, either. Most spam crap I get points to .com addresses ...

correct link - Demonstrations by the Schmoo Group

demonstrations by the Schmoo Group

Can you identify an IDN?

[jfengel]

The problem is that you can't always easily identify an international domain name. In particular, IDNs contain characters that are nearly identical to Latin character set but are treated differently. Slashdot won't let me put in examples, but examples here.

The paypal.com one is particularly scary. It looks like paypal.com in your status bar when you hover over the link. It reads paypal.com in your address bar. But it isn't Paypal. That's because the "a" isn't an "a" but is really Unicode D0B0 If they'd put any effort into making it look like Paypal, it would be easy for somebody to direct you there and steal your Paypal password.

In Firefox and IE they're indistinguishable. Even if they added a clue that something was different (e.g. colors to indicate an IDN) you'd have to look closely, and if IDNs became common you'd start to ignore the color coding. If the only difference between "paypal.com" and an identical spoof were small, you'd get tired of looking closely, and forget. If the warning was unignorable, like a popup, you'd turn it off.

So the upshot is, yeah, beware of web sites you don't know, but with IDNs you don't always know whom you know.

Re:Can you identify an IDN?

Yep, so don't continue to click on that paypal or link on those "Free XXX" sites you browse to every day ;)

Seriously, this has been a recommendation for a long time. Never click a link on someone elses website to go to your bank or secure site.

Re:Can you identify an IDN?

[jfengel]

It's a good recommendation, but not always as practical as it might seem.

Amazon, for example, has "affiliate" programs: you advertise a book on your web site and link to Amazon to purchase it. You have to use their link or the affiliate doesn't get credit. If that link asked me for my password, I might give it, even though I shouldn't be expecting it.

Perhaps that's a pathological case. The paypal link, for porn or otherwise, is more likely. In those cases it's good policy to do exactly what you say. But I'm thinking that requires me to remember an awful lot and type an awful lot. The effort is trivial compared to fixing an identity theft, but it gets tiring anyway when you do it every single day, usually for no reason (since 99.9999% of the sites I visit wouldn't try to steal my money.)

Re:Can you identify an IDN?

[Trillan]

The problem is not identification, the problem is the DNS resolution system badly needs a patch to eliminate the difference between $41 and $D0B0. Since the former exists, the later shouldn't. Since that probably won't happen, it needs an OS-level patch. Since that probably won't happen, it needs a browser-level patch.

But the lower this fix goes, the better it will be for all of uz.

Re:Can you identify an IDN?

[sean.geek.nz]

The fact that some unicode characters look exactly like ascii (or whitespace) also means you can break java source code (java bytecode accepts unicode) by replacing a few dozen 'a's with 'a's. It can have developers weeping with frustration trying to figure out why the code isn't working.

But I wouldn't do that. That would be wrong.

Sean

Re:Can you identify an IDN?

[jfengel]

Eliminating the difference between $41 and $D0B0 feels like a hack; it would leave a hole in whatever character set D0B0 is in. A Greek P (rho) and an English P are not the same character; neither are the Russian H and the English H, even though they're orthographically identical.

Still, mapping those together at the DNS level would solve this problem neatly. You just reject registrations for domain names with identical orthographies, especially when they have mixed character sets. Yeah, I can see some Greek complaining that he wasn't allowed to register rho-rho-rho.com because it looked too much like PPP.com, but the number of such complaints should be tiny.

Re:Can you identify an IDN?

[Trillan]

I'm glad you were able to understand that. Re-reading my post, it seemed a bit disjointed. :)

The reason they did it...

[SmokeHalo]

...was because the about:config 'fix' apparently doesn't work.

How about this?

How about this for a solution..
1) No IDN address containing more than one charset should work, at all. I can't see a reason why you would need english and japanese in the same domain for instance. That would cure the problem like demonstrated with the fake paypal site where one or more characters way cyrillic.

2) If the domain was completely in a character set, but say using japanese romaji to display "paypal.com" it would check your browser/system region if it matched. If not then it should highlight the address bar red, and note the charset in the address bar as well such as (Shift_JIS) or (Japanese) etc.

Seems atleast like a good start to me.

Re:How about this?

[aamcf]

I can't see a reason why you would need english and japanese in the same domain for instance.

I'm currently working on a paper about translations of a rare greek term, arsenokoites. If I wanted to put up a website about it translatingarsenokoites.org would be a nice choice, if I could also have arsenokoites in Greek too.

IDN

IDN is WRONG. The look up library should be a part of the OS, not the application. As gethostbyname, but with support for more than 7-bit ascii.

Oblig.

[saintp]

Lately, Slashdot quality has been going down the tubes.

You must be new here.

Re:Oblig.

[snorklewacker]

FYI: The spreadingsantorum link in your sig is only going to work on humans. Google spiders slashdot without a login and thus never even sees sigs. Try logging out, you'll see.

/. drops support for accuracy

In other news... Microsoft drops support for Word...

Re:/. drops support for accuracy

[grolschie]

You mean they had support for it in the first place? ;-)

UTF8 -- careless user

[redelm]

... and default to secure. If $CHARSET was something like KOI, or Big8 or other recognizable international, then default to accept.

Not International domain names.

[northcat]

Not International domain names. Internationalized domain names.

Re:Not International domain names.

[Leroy_Brown242]

Well, that makes a bit more sence. . . .

Re:OUtstanding! Smart defaults

What is so smart about not supporting a well needed feature of the internet?

Would you also disable the IP protocol by default? Afterall, there are malicions websites on the net?

Solve the problem, not pull the plug!

We need to tighten up web certificates

[EsbenMoseHansen]

Well, you wouldn't trust a site that doesn't present a valid certificate. The problem is that obtaining such is too expensive for many.

We need a reliable way for the a domain owner to get a certificate issued for that domain. This is mostly a bureaucratic problem, which could be solved, people willing.

Re:We need to tighten up web certificates

[mindstrm]

IT DOES present a valid certificate, that's the point.

Re:We need to tighten up web certificates

[EsbenMoseHansen]

I get a "The certificate was not issued for this host" when I try to enter (via https --- http should be dead and buried for anything remotely sensitive, and that does include paypal).

That was with Konquoror. The link doesn't work in firefox for some reason.

Re:We need to tighten up web certificates

[spuke4000]

I work for a large certificate authority that issues SSL certificates (that shall remain nameless). The reason SSL certs are so expenisive is that it takes a lot of work to validate that the person enrolling for the cert really is who they say they are, that they have the right to request a cert for the domain, etc. If this was a cursory, 5 minute process the certificate wouldn't have much value, because it wouldn't prove anything. But to have someone spend several hours collecting and validating documentation from the end user costs $$$$. I don't see how this could be solve 'bureaucratically'.

Re:We need to tighten up web certificates

And if they didn't bother with SSL? If it looked exactly the same as paypal, would most people realize they didn't get an SSL version of the site?

Re:We need to tighten up web certificates

who wouldnt? your mom? your grandma? what IS the difference between an ssl and non ssl site? does it have big SSL letters across the screen when you access it? no?

then it looks exactly the same with or without ssl? then what is the question?

Re:We need to tighten up web certificates

[ddent]

I think you'd be surprised. There is some competition in the certificate market these days and they can be had significantly more inexpensively than used to be possible.

That said, I agree it would be good if it was more feasible for new CAs to establish themselves. It isn't easy, nor is it cheap.

Re:We need to tighten up web certificates

[aichpvee]

Doesn't it change the colour of the text in the address bar or something? I think that's how you tell the difference.

Re:We need to tighten up web certificates

[ajs]

if I understand correctly, SHA-1 is a similiar algorithm to MD5, which is commonly used to uniquely identify files

That's because the certificate was not issued for that host. This is a configuration problem on that server, not a guarantee of any sort. If pypal.com registers a certificate for pypal.com, then your browser will gladly accept it, since it matches the domain. The only safeguard there is that it might be hard for them to get a certificate under such an obviously scam-oriented name... HOWEVER, you do not want the security of your site's e-commerce and customer reputation to rely on all CAs everywhere being immune to bribery....

Re:We need to tighten up web certificates

[EsbenMoseHansen]

One way would be to issue a digital certificate to every citizen and company in a country. Not an unsurmountable project (though not trivial, either)

Re: Damn it's true

Damn. That's right. Only American domains are pure and perfect. Indeed America should have borders to stop all international internet traffic. It should be illegal to visit a foreign domain. damn. If you support international domains you support terrorism.

Damn. Now were did I leave that URL for my Russian Viagra supplier. damn

Re:Who uses Firefox/Mozilla anyways?

[a11]

I believe the stats are smth like 80% of slashdot users. you dumb piece of shit.

Re:How about selective INT Domain Filtering?

Damn. If you support Unicode you support terrorism. Unicode is used by terrorists and corrupts American children. Damn. Good ol' American ASCII is what our founding fathers like John Wayne used. Damn.

Real solution...

[Sylver+Dragon]

A real solution for this problem is posted here

The applicable part is:
1. Install the Adblock Firefox extension.
here
2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

Re:Real solution...

[TuringTest]

This is not a solution, it's a workaround. A solution would be something that allowed to use IDN sites without risk of phishing.

This will block any URL that uses characters outside the normal ASCII range.
So why was IDN created at all?

Re:Real solution...

because a group of pro-internation extreemests wrote some documentation describing a simple but fundamentally broken system for adding unicode to domain names and got it accepted as a standard.

tld owners saw this standard as a great way to make more money and started allowing it for domains under thier tld.

then a group of standards extreements (mozilla) put it into thier browser.

iirc lukilly ms didn't make the mistake of supporting this particular misfeature.

unicode is fine for text intended for human consumption it is extremely lousy for anything that involves its use for human entered identifiers. (ie stuff that must be entered by humans and then matched by machines)

the only way i can see it could possiblly be safe is with a STRONG reduction algorithm combined with dissalowing any code points the algorithm didn't recognise.

Re:Real solution...

[Lariano]

Blocking all IDN sites isn't really a good long-term solution either...

Re:Real solution...

[lakeland]

No, that's an awful 'solution'. What about a domain name like http://www.m/#257;ori.co.nz/? I bet that doesn't even render correctly for you since you probably disabled international fonts too. Your stupid solution prevents people from accessing that site.

Or are countries supposed to not allow domain names to use characters from their language now? Chinese who don't speak a word of English are expected to guess an English version for local domains? I bet they'd like it as much as you'd like a new standard that only chinese characters are allowed in domain names since they are unambiguous.

Disabling international domain names is barely acceptable for a workaround. It sure isn't any sort of solution to the problem.

Re:Real solution...

If you need IDN, use it. I dont want to be phished, so i wont. If someone in china wants me to read his site, use characters i can type easily.

Thanks for pointing that out...

[artemis67]

I was about to say, "Wow, is it April 1st already?"

Please try and pay attention.

[joe630]

SHMOO

NO C.

S H M O O

so is XYZ.US an international domain name?

[StateOfTheUnion]

So does XYZ.US count as an international domain name? Seriously though . . . that was a poor post . . . internationalized/international; changes the entire meaning of the parent.

Though this may surprise some of the more 'jaded' readers, I am really surprised that this one slipped by the editors. . .

Well Michael got fired.

[glrotate]

So maybe Zonk is next?

This is a job for...

[TuringTest]

...a Firefox extension!

Re:Mozilla is an American project

[huge+colin]

Just once I'd like to read a Slashdot article about software or robots or something that hasn't been used to make a smug political statement about the evils of America's foreign policy.

Re:Those dirty foreigners

You sure he's not posting from there?

Someone please forward this article to Microsoft

[Jtheletter]

So they can see how bloody easy it is to increase security by doing something as simple as making a safer setting the default.

BTW, Bill if you're listening, thank you sooo much for allowing any source to install browser helper objects by default. I mean how could it go wrong, right guys? CWS variants pretty much destroyed my parents' PC's usability/trustworthiness.

Re:How about selective INT Domain Filtering?

[magi]

URL which looks like "https://www.paypal.com" but really has a letter replaced with a non-English Unicode character which looks the same

In what way? To my knowledge, there is only one way to encode the latin letters in UTF-8. They don't have any redundant code positions in Unicode, do they?

Or do you mean, almost the same? Like, https://www.päýpâ1.com/?

Re:Who uses Firefox/Mozilla anyways?

Same people who feed Linux to their cats and use KDE and GNOME.

Better yet

[TuringTest]

There are websites that use IDN characters... IN JAPAN!

Re:Better yet

[TheoMurpse]

But what about old people in Korea?

a fix for Firefox under Linux

[SilveRo_kun]

From your home directory, enter the .mozilla/firefox/*.default folder; then with vim open compreg.dat, and search for the string: "idn-service;1" (use the / function). Change the 1 to 0 in both the strings you find. Now, restart Firefox.

The url will still appear spoofed at the bottom-left corner of the browser, but if you click on the proof-of-concept link it won't work.

Re:a fix for Firefox under Linux

When you install a new extension, do it all again.

Test before you mod parent up, please

[Cid+Highwind]

Who modded this +4 informative? It doesn't work!

Tested the parent's suggestion with Mozilla 1.7.5 on Linux and Firefox 1.0 on Windows, the exploit still works on both platforms.

Easy Fix

A very simple solution is to require that domain names be written in one set of characters, rather than a combination. This way, normal english characters mixed with cryllic, for example, would be disallowed.

It's like curing calluses by chopping the legs off

[melted]

It's like curing calluses by chopping the legs off. It's about time that someone with a brain came in and fixed this phishing problem once and forever. Disabling international domains is not a solution. Remember, majority of the population of this planet doesn't speak English. Why should they NOT use their native alphabet?

Re: Mozilla Team

This is the approach they take. I have tried to warn them in several different bugs that if they start trying to protect the user from themselves, they are going to soon be shipping a crippled product. No one listens. Now Firefox appends file extensions to downloads that already have an extension, they have disabled international domains, what next? Someone call me when the fools in charge get fired.

Can we blame them though? Most of the team are from Unix and Mac .. both of which have miniscule market shares. They have no experience doing what people want.

How would it help the Russians?

[tepples]

Wouldn't rendering the characters in question as black-on-red in the status and location bar be a more effective solution? Or the entire background changes to red to warn the user that the characters they can read aren't the "actual" characters in the domain name?

Pink, not red, to help the color-blind. But still, how would a pink background help people living in Eastern Europe distinguish a legit mixed-Latin-and-Cyrillic IDN from a phishing mixed-Latin-and-Cyrillic IDN? Take Yandex.ru for instance; an IDN alias for the domain would probably use the Cyrillic letter Ya (which resembles a reversed Latin R) and Latin letters N, D, E, and X.

Re:How would it help the Russians?

Actually Yandex would be spelled because the is actually a "kh" (like the greek letter Khi)

Re:How would it help the Russians?

Nope, it's YA-n-d-e-k-s, at least on the title tag of the Russian version of Yandex.

Re:How would it help the Russians?

That's what I was saying.. Not my fault if the cyrillic characters didn't make it through the slashdot comment ...

I was also saying that the "x" cyrillic letter is actually the "kh" sound, like the greek letter khi, and that's why Yandex can't be YA-n-d-e-x

Re:Didn't you know...

Slashdot is now run by a cat fed with Linux who runs python using wind power. Get with it dude.

Better

[Quixote]

A better solution would be to limit the possibilities for each domain. For example: ".com" can be limited to just plain ASCII. On the other hand, ".cn" can have the Chinese characters.

Think about it: the aim of the IDN is so that the native readers of a non-ASCII language can use domains which make sense to them. If ASCII doesn't make sense, then what about the ".com"?

This whole IDN thing was designed improperly. I can't imagine why the designers didn't bother to take a look at the myriad character sets floating around out there. Just a cursory glance at the Unicode book would have given them second thoughts.

Re:Better

[dreamer-of-rules]

..l..0..1..O..I

They did consider the implications, compared them to the security risks users were already exposed to, and suggested that the applications (this being an application-layer protocol) visually distinguish IDN or mixed IDN domains.

http://www.faqs.org/rfcs/rfc3490.html

Check out sections 1.2 and 10.

Re:Better

[hta]

What? And deny Verisign the right to be the Domain Provider To The World? ..... and believe me, quite a few of those people who designed IDN have not only glanced at, but READ the Unicode book......

Re:Spaces in URLs

[northcat]

It will make coding very hard in most situations and impossible in others. Now we'll have to have delimiters everytime we mention a domain name or a URL and the computer has to recognize it. There are protocols and applications which do not use delimiters for domain names, and they won't work because of this. And do we really need spaces in domain names? Aren't hyphens enough?

IDN is a loss

If they can't type their domain name in regular old English letters, what are the odds that they'll have any good content on their site for this English reader?

Phones around the world have 0-9* and #... why must DNS addressing be Balkanized?

tone

Guess I'll have to get a day job.

[Cyburbia]

That's too bad. I just registered bánkofamerïca.com, too.

Re:OUtstanding! Smart defaults

[starfishsystems]

Sometimes it's not a simple black-and-white issue.

Here we have an apparent tradeoff between generality and security, manifested as a phishing exploit. Support for international character sets seems innocent enough it itself, but it turns out to have some potential to mislead the human observer.

However, precisely the same security problem exists even without reference to international character sets. In plain ASCII, the characters "0" and "O" are nearly homologous, as are "1" and "I".

In general, phishing attacks exploit any kind of substitution which can at least temporarily deceive a human observer. A plausible, but deceptive, domain name would do just as well.

It's not clear, therefore, that an effective security solution to phishing can ever be automated. Instead, it will have to create more favorable conditions for human perception.

Re:How about selective INT Domain Filtering?

To my knowledge, there is only one way to encode the latin letters in UTF-8. They don't have any redundant code positions in Unicode, do they?

They don't, but they do have multiple code points that are commonly rendered to the same glyph (yet have different collation behavior, etc.) In these example exploits, the Cyrillic "o" (&#1086; = &#x043E; = U+043E [*]) is used in place of the Latin "o". It looks identical, but it's a different domain.

[*] - It's in this Unicode code chart.

I don't want to scare you

[ThreeDayMonk]

I really don't want to scare you, but right now - when you were posting this as an Anonymous Coward - your computer was broadcasting an IP address! They know who you are.

You have to understand..

[JPriest]

This is just an alternate title to "Gaping security hole discovered in Firefox, experts say switch to IE"

Re:You have to understand..

[aichpvee]

When was the last time an legitimate expert said to switch to IE?

Re:You have to understand..

It was a joke aimed at all the "Another bug found in IE, switch to Firefox" articles.

Re:You have to understand..

[aichpvee]

I understand that, but I was also kind of curious. Because at some point someone must have said something like that seriously.

Re:You have to understand..

[fd0man]

I have heard people say it, seriously.

These are people who are too lazy and don't care to maintain systems and support users. "Oh, yes, page X requires that you use Internet Explorer because of _insert problem here_. Yes, I know that the rest of the world doesn't like IE... But just use it here, m'kay?"

And within a few days, that admin has got tons of crap on their hands - and it *can't* be IE's fault, damn those stupid users.

There are people who just don't see the worth in switching away from Microsoft's product, which is a shame, because there are some pages that users will go to that do not work with Firefox/Mozilla/anything else (because of ActiveX). I don't quite know why people are such MS zealots, but it seems that they cannot see the amount of proof that, well, Microsoft sucks.

Re:Those dirty foreigners

[Armando_Mcgillicutty]

I must admit that's the first time I've ever seen that phrase used, and actually thought it was somewhat funny, instead of just wanting to punch the person who came up with it.

Well..

[raehl]

It's used to send me money, of course.

Thanks,
Qal

Re:Well..

[qal]

Damned ID-Theft... Qal

the IDN key doesn't work!

[http101]

I have the network.enableIDN key set to "false" in both FireFox 1.0 and Mozilla 1.7.5. Guess what? It still lets the exploit occur! BEWARE!

Test your browser here:

http://www.shmoo.com/idn/

or here:

http://secunia.com/advisories/14163/

[Off-topic] Re:Drops?

Only replying to this because of your sig. I don't know how to send a private message.

Firefly rocks.

http://www.mshiltonj.com/blog/archives/2004/03/0 4/ firefly-coming-to-big-screen/

I've bought the DVD set and loaned it out to a number of friends, most of which (literally, all but a couple) have went out and bought their own set.

Many people in my circle are now waiting on the movie. And the fact they most have bought their own sets creates a big multiplier affect.

Posting AC but my username is mshiltonj

To everyone else, sorry for the off topic thread.

Re:[Off-topic] Re:Drops?

most of which [...] have went out

"most of whom [...] have gone out".

A potential fix for any form of Spoofing

When a user browses a bookmarked or frequently visited domain a 'star' (or some other simple symbol) appears at the end of the URL (or next to where the SSL Padlock icon appears in the browser). The user could now easily identify that they are indeed browsing on one of their favoured websites. The browser itself is able to know this because it can grab a list of domains from the users bookmarks and look in the users history to see frequently accessed domains, for example sites accessed on more that 10 separate occasions (this figure could be set to something more suitable, it is just an initial guess at a good figure).

If you are a Paypal user for example you are likely to have Paypal bookmarked or at the very least you will probably visit it regularly. If some website or email links to a fake Paypal then when the site loads the star will be missing from the address bar field since it will be the first time you have used this fake site. Hence it is easy for the user to see something is wrong. Hopefully users would get used to the idea that their favourite sites always display a star in the address bar, so this would start to become obvious.

Maybe it would require educating the users about what the star is and why it appears there but this had to be done when the SSL padlock was first added to the browser. I reckon people would pick this up in no time.

I have suggested this on the Opera forums (I'm an Opera user). I may also suggest it on some of the Mozilla forums. Even if Firefox/Mozilla did not make it default perhaps someone could create a plugin (which is currently beyond me).

I have had some criticisms of the idea. For example someone pointed out that the first time you visit a new safe website no star would be present. Also, not all people use bookmarks extensively. My response has generally been along these lines:

When you first visit a site you don't know if you can trust the site anyway. I'm usually cautious of new sites the first few times. I am that little bit more nervous about giving them personal data or credit card information hence I check the site out more carefully. I bet most people are the same. Furthermore after you have come back and used that site a few times and hence presumably are happy with it, it would move to one of your most frequently visited sites (or you might even bookmark it). After this point a star would display.

Regarding bookmarks, it is true that many people don't use bookmarks and in the age of Google you might even say why bother but many people do and if people knew that by bookmarking a site they could later verify it was the same site they had been to previously they may be willing to start bookmarking again, even if only for financial sites. Instead of bookmarking (or even in addition to bookmarking) you might also have the option of clicking on a button to say, "remember this as a known domain name", form that point on it would also show a star.

Another thought was that "you'd have to be careful as to what you count as hits to prevent sites from tricking the user into a couple of hits to their website, or some javascript to loop pages". I'm thinking of sites being automatically added only after a user has visited them on 10 separate days.

It does not solve all issues but it makes it a damn sight easier to pick out when you are on a fake version of one of your favourite sites, which is the main issue as far as I can tell. Also, it requires little user effort (worst case, you do the one time action of bookmarking the sites you are worried might be spoofed).

Finally an extra advantage of this method is that it helps prevent other types of spoofing, for example when fraudsters substitute ASCII characters (e.g. '0' for 'o').

Anyway if you think it is a good idea feel free to spread it around as a suggestion to anyone who you think might be influential in development of any of the popular browsers. Or anyone good at writing plugins!

Re:A potential fix for any form of Spoofing

As far as the Unicode spoofing, how about making the address bar highlight an address that contains anything from the extended character set to indicate, for instance, that that "a" in "paypal" isn't really an "a". This would alert the user something was amiss, just as the yellow highlight for secured sites makes it obvious that your transmitted data is expected to be properly encrypted. A third highlight color would also be needed then for sites that are secure AND contain the potentially misused characters. Although this wouldn't prevent spoofing, it would make it much more apparent that it was happening.

Re:Mozilla is an American project

Agreed. And the best way for that to happen is stopping most of the evil in America's foreign policy.

so if its off what happens exactly?

[AviLazar]

If I want to visit a website in the UK (that has a .uk domain) and this feature is turned off, will FF not go there?

Re:so if its off what happens exactly?

see the older posts, internationalized names are blocked not international names

Re:so if its off what happens exactly?

[AviLazar]

instead of being modded redundant, could i get an answer...freaking idiot mod.

As if!

Anti-slash is in no way responsible for this glorious event. In addition to your web site being down for weeks, your organization has been totally ineffective and irrelevant, and I'd be surprised if there were more than one or two of you who actually were active in Anti-slash.

I realize that you *tried* to expose editor injustices, but your months-old, hastily written, totally incomplete little list of Michael's offenses, along with whatever goatse'ing or other juvenile shit you might have done, was of no use. Instead, it was my repeated assault of detailed, informative anti-michael first-posts that likely made the difference.

Not serious, just niggling

[SeanDuggan]

Honestly, no, it's not a serious issue. *wry grin* And I guess I shouldn't have been so quick to comment on something which seemed related, given how far my rating seems to have declined here. {shakes head in amusement} Anyhow, it's not serious, but I'd wager that many companies would prefer to be able to express their name without having to mush all the letters together. To me, at least reading a URL off of a sheet of paper, all those letters bunched together makes it hard to read. With hyphens, people can delineate it and a few companies actually are bright enough to use mixed case, but otherwise, it makes the address harder to read and more apt to get little spelling errors that instead send one to any number of cyberaquatter pages.

In response to the comments about delineation of URLs, you do have a point. While I think it would be possible to create a decent way to aprse out whether something's a URL, it would require a bit of effort and older software would have trouble.

I could probably post this anonymously and cowardly, but I'll keep my name on it. *shrug* What use is only expressing your opinion when you think it's safe to do so?

Re:Not serious, just niggling

how far my rating seems to have declined here. {shakes head

I just meta-modded the GP's "Offtopic" as unfair, if that's any consolation ;) But I think you're just plain wrong about spaces.

Oops -- I forgot to mention ...

I forgot to mention that falling for such a ridiculous, idiotic troll further illustrates how inept anti-slash has become.

Re:Mozilla is an American project

Hell, I'll settle for articles that are spell-checked and fact-checked. It's related, you know ... nothing brings in the trolls like lack of professionalism.

Known broken?

[Trejkaz]

It isn't IDN that's broken, it's users who don't read carefully before clicking a button.

Re:Known broken?

Or is it ``the fault of domain name registries and registrars that let people register homographic variants of existing domain names''?
(from mozillazine)

Re:Known broken?

[lost_packet]

It isn't IDN that's broken, it's users who don't read carefully before clicking a button.

oh the irony

Re:Known broken?

Not really. You must be American. I hear they don't know what irony is over there.

Re:Known broken?

[LittleBigLui]

It isn't IDN that's broken, it's users who don't read carefully before clicking a button.

And careful reading helps you distinguish between CYRILLIC SMALL LETTER A and LATIN SMALL LETTER A how exactly?

Re:Known broken?

[Breakfast+Pants]

Are you kidding me?!?!111 It is insane that the mozilla prople took out support for the other nations besaides ohs sya AMERICRA in thiery new nightly buildf. This is absord. AMERICRANS can just past into a unidcoe textf editor and just savet that file and then reopen it in a HEX EDITROR (EVERY HEARD OF ONE OF THOSE AMERICRA!?) and t hen see the diffrenrence. Why slow down the rest of the worrld's adotpion of a NONAMERICRAN format just so AMERICRA can keep it's own format!/? Get a HEX EDITRAR. Is it aso hard to do that you have to screw teh whole world over for a WHIM?1/

(sarcasm.. a shame I have to spoil this post with this parenthetical thanks to MODERATRORS.)

Re:Known broken?

[Trejkaz]

I thought that stringprep was supposed to resolve these problems. Is it not?

Re:Known broken?

[ComaVN]

of course, everyone should be able to distinguish between a cyrillic "a" and a latin "a".

Hint: in some fonts, the glyph is exactly the same

Re:Known broken?

[Trejkaz]

The whole point behind stringprep (of which domainprep, which is supposed to be applied to all domain names, is a profile), is that two characters which look identical would be resolved to the same character. So the user shouldn't have such problems.

Re:Known broken?

[LittleBigLui]

Well, RFC 3454 mentions this kind of attack briefly:

The Unicode and ISO/IEC 10646 repertoires have many characters that
look similar. In many cases, users of security protocols might do
visual matching, such as when comparing the names of trusted third
parties. Because it is impossible to map similar-looking characters
without a great deal of context such as knowing the fonts used,
stringprep does nothing to map similar-looking characters together
nor to prohibit some characters because they look like others. User
applications can help disambiguate some similar-looking characters by
showing the user when a string changes between scripts.

So no, that doesn't resolve it, but it recommends a (general) way to deal with it.

Obviously, Mozilla should have followed that recommendation instead of ignoring it.

Re:Known broken?

[mollymoo]

It isn't IDN that's broken, it's users who don't read carefully before clicking a button.

The protocols shouldn't need to expose the user to that choice. The problem is that IDN is a bad hack.

Re:How about selective INT Domain Filtering?

> In what way? To my knowledge, there is only one way to encode the latin letters in UTF-8. They don't have any redundant code positions in Unicode, do they?

They have many, but they're not redundant, they're the same letterform in different alphabets. There's several homographs for the letter "A" alone, and we're not talking almost, we're talking looking exactly the same. I believe the shmoo example uses a homograph for a lowercase "p".

next step

[krokodil]

Why bother with these savages speaking funny
languages! Next step is disable support for any
non-ASCII characters in browser.

Unicode domain name != "international" domain name

When even the Slashdot headline writers don't understand the difference between a Unicode (internationalized) domain name and an international domain name, how can we expect ordinary users to make sense of this?

Actually, put a codepage icon, Is better.

[AKosygin]

Actually, it would help the users of other languages if the language abbreviation of the codepage used was displayed.

For example, if someone uses the Russian language to render www.paypal.com, not only should the color change (if the user wants it), but it should display an icon to the left of the site's icon with the letters RU. So, if the letters US appears to the right of the paypal icon with the address http://www.paypal.com/ then you would know it is the right place. But if you see RU with the paypal icon and http://www.paypal.com/ then you know you are in the wrong place.

This would allow it so that if you DO want to go to another language version, the codepage icon with the letters will help you identify that you are going to the correct language version of the URL. This also helps complement against color spoofing if you do want to use the color method. Some people are color-blind.

Re:Actually, put a codepage icon, Is better.

[aussie_a]

That's a great idea. Also if you often visit www.blahblah.ru and someone does www.blahblah--[JAPANESE CHARACTER].ru you'll see [JP] instead of [RU] and you know it won't be the correct site.

Titles around the web

[theendlessnow]

Appropriate article titles for various web sites:

1. MSN: Mozilla Nukes Critical Feature in a Failed Attempt to be as Secure as IE
2. CNBC: Mozilla Ends Dispute. Stops Selling Strawberries.
3. moznews.org: Mozilla Changes Default to Not Handle International Domains
4. slashdot.org: Mozilla Drops Support for International Domains

suggestion:

when firefox is connected to an encrypted site, the url bar is highlighted yellow.

Perhaps characters or URLs that contain unicode characters could be highlighted red? or blue, or whatever.

Re:Mozilla is an American project

[huge+colin]

I'll assume that was a joke.

Unlike Slashdot, Netcraft summarises it accurately

[frizzbit]

"Firefox to Disable IDN Support as Phishing Defense"

Comment removed

[account_deleted]

Comment removed based on user account deletion

This is two entirely different problems

[i]

One is the problem of spoofing browser users. And this could be done as easy as someone else pointed out: using "www.payqal.com" instead of "www.paypal.com". Etc.

The other is connected to the fact that two different characters in different languages character sets uses the same glyph. (A glyph is the visual form of a character.) And this is not necessarely a problem isolated to internet usage. (Although it's more difficult to use it for deceiveful purposes utside of internet.)

The solution of the former is some combination of browser standards that make it clear for all but the most dumb users where they are going and some international regulations that e g protects sensitive sites like banking (paypal.com) to be used by/connected to/directed to other sites (like paqpal.com).

The solution of the latter is probably an international standardization of the characters glyphs. That is: a specific glyph should be clearly distinguished from other glyphs and be represented by only one character.
(The eventual problem with sort orders etc. should be solved by depending on the actual usage/situation.)

Better Solution.

[mewphobia]

1) Amend the IDN spec to require that valid IDN urls use the lowest-numbered codepoints that match that glyph.
2) Have browsers use a table that identifies all the characters that share a glyph. Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

What about glyphs that are nearly the same (as in one or two pixels out)? I think a better solution is to highlight the address red (with a clickable warning icon next to it - similar to how firefox handles ssl) if there are characters that aren't in the current locale.

Re:OUtstanding! Smart defaults

[McDutchie]

Solve the problem, not pull the plug!

When the plug is the problem, there is not a lot of choice but to either pull it or live with it. You can't have internationalized domain names without some different characters (e.g. the Latin and Cyrillic lowercase "a") looking identical.

heh...

[interactive_civilian]

OT, but I have always wanted to get a domain there. I imagine they are pretty strict about who can register .co.ck domains, as the obvious ones still seem to be open.

I personally would like to have "my.co.ck" which leads to wonderful sub-domains like "lick.my.co.ck", "suck.my.co.ck", "look-at.my.co.ck", "do-you-like.my.co.ck" etc.

Of course, then whoever gets "your.co.ck" can set up quite a nice rivalry.

Surprisingly, "hard", and "stiff" are still open, so I guess the Cook Islands don't have any companies on the net selling viagra. "large", "small", "big", "little" etc are also still open, which means the p3ni5 3nl4rg3m3n7 companies haven't gotten there yet either...

Just out of serious, off-topic curiosity, does anyone know what kind of guidelines need to be followed to get a .co.ck domain?

;p

Re:heh...

[ma++i+ude]

Just out of serious, off-topic curiosity, does anyone know what kind of guidelines need to be followed to get a .co.ck domain?

These people do.

"Companies must register their corporate name or trading name, or some form of abbreviation. For example, Telecom Cook Islands Ltd. has registered "telecom.co.ck" as their domain name."

"The Domain Name Registration maintenance fee for organisations or individuals who do not reside in the Cook Islands is US$150.00 for 2 years registration."

Solution!

[Alsee]

The solution to this whole mess is so simple! Just use numeric addresses!

-

Re:Solution!

You say that, but why not display the ascii version of the address (you know, the one that actually gets sent to the DNS) somewhere?

www.-payal--d5t5.com

is not very subtle.

(I made up the specifics, but that *is* how IDNs look)

Re:Mozilla is an American project

Ummm...
I assumed it wasn't.

(New Zealander, and I don't feel like getting flamed by half of the American slashdotters)

hmm maybe warn about them?

[Phil246]

perhaps change the colour of the bar its in, like it does for https to a red or something ?
Or you could put the relevent characters in red and bold with a caution icon next to the url?
theres no way of making it foolproof that i can see, only to make it harder to do convincingly

network.dns.ipv4OnlyDomains = .doubleclick.net

[Proud_to_be_Pinoy]

so i went and changed the enableIDN entry to false. then i saw the "network.dns.ipv4OnlyDomains = .doubleclick.net" entry. does this mean that i'm actually using doubleclick's DNS servers instead of my own, thus letting doubleclick know where i go everytime i use firefox? i thought firefox was a "good" thing...

Re:network.dns.ipv4OnlyDomains = .doubleclick.net

[EMR]

Some google searching yeilds a link to this bug
https://bugzilla.mozilla.org/show_bug.cgi?id= 68796 #c83

Basically this setting lists domains for which an IPv6 address should NOT be looked up on systems with IPv6.

Re:Mozilla is an American project

[LadyLucky]

American? Hmm. Lead Developer was in my class in Auckland, New Zealand.

Damn and I was planning to learn Chinese with IDN.

[headLITE]

Anyone know what (Chinese deleted, won't show up - please see http://notabilis.org/arti/Technology_and_its_Merit s.html) means? I mean other than the meaning of its punycode representation?

wait a minute

[shadow_slicer]

I don't know anything about the Adblock Firefox extension, but if it blocks all domains whose name matches the filter (containing any ascii characters between 0x20 and 0xFF) it would be a BAD idea.
Especially since the ascii characters for normal addresses don't start until 0x41 or so.
This looks like it would block access to ANY websites.

But then again I could be wrong...

Re:wait a minute

[The+Wicked+Priest]

Yes, I think you have it backwards -- i.e., it blocks characters outside that range: those below x20 (control characters), and those above xFF (Unicode characters above the 8-bit range). That last is counterintuitive for those of us who usually think of characters as being only 8-bit.

del.icio.us

[Free_Trial_Thinking]

Does this mean del.icio.us won't work, or is US not considered international?

The foolproof fix

[Laaserboy]

(1) In Win2K, shut down Firefox.

(2) Open \Documents and Settings\YOURUSERNAME\Application Data\Mozilla\Firefox\Profiles\default.XXX\compreg. dat in your favorite ascii editor.

(3) Search for 'idn' in Note/Wordpad. Comment out with a '#' the line that says
"{NUMBERSLETTERSDASHES},@mozilla.org/network/idn - service;1 ..." to become
"#{NUMBERSLETTERSDASHES}, ..."

(4) Don't worry. Browse happy.

Re:It's like curing calluses by chopping the legs

[ockegheim]

I've been a long-time web user, can speak French and German, have done a lot of trawling German sites for information, yet had no idea that anything other than ASCII was available for URLs. I think it's a good solution for most English speakers, especially monolingual English speakers until something better can be worked out.

Would "whitelisting" be a possible solution.

[Flower]

At least for domains that the user is paranoid about. I could hash "paypal.com" and store it. Then whenever there is a link that has a valid domain of paypal.com the browser would give some indication that the link is good. Say cursor changes to a thumbs-up icon or something equally silly. You could have a corresponding blacklist too.

I know that this isn't necessarily trivial to accomplish due to redirects and the like but it might be worthwhile considering.

Non-version change?

[humankind]

This doesn't seem to be the first time that there is no version number change for Firefox, yet there appears to be different versions with differences, identified as v1.0. What gives? Is there a way of upgrading? Or do you just re-install the lastest (same) version?

arrgh

[TheKarateMaster]

I thought Ffox was supposed to fight _AGAINST_ proprietarization. Seriously, if someone is smart enough to get Ffox, they are smart enough to see that they are viewing a page on an international TLD. But then again, they are probably smart enough to disable this *feature* as well. Hmm...

Re:It's like curing calluses by chopping the legs

[telstar]

"yet had no idea that anything other than ASCII was available for URLs."

• What? You mean you're not rattling off URLs on your Kanji keyboard all willy-nilly?

I can't let you do that Qal

I can't let you do that Qal

Re:Those dirty foreigners

Sucks that you can't add an anonymous coward to your 'friend' list...
Bravo!

Re:Those dirty foreigners

You know, what with this one and my other gag catching so many mod points, I almost wish I hadn't been a chicken-shit AC today.

Solution - modify the current Safari workaround

[funtime]

At the moment, Safari deals with this problem using a plug-in that pops up a warning if your address contains mixed character sets. This is fine for those who only use Latin alphabets, but would be a pain if you were accessing sites named like ??.com (where ? is a Chinese character).

Maybe the plugin could be modified just to send up an alert only if individual words (serarated by full-stops) were comprised of mixed character sets. This way, most world addresses could be used normally, and the range of spoofable addresses reduced considerably, that is, paypal.com couldn't be spoofed, but ABC.com could (with Cyrillic ABC).

Possible fix....

[Kjella]

...shouldn't domain names usually contain names from ONE character set, meaning one "set" from unicode?

I mean, say japanese have a letter that looks quite similar to l. Now a japanese company %#%l.com (to us) wouldn't be a problem. And an ASCII version like toshiba.com shouldn't be a problem. The problem only exists if you can mix and match freely from any number of subsets.

There are a few cases that this wouldn't fix 100%, like paypäl.com... but there'd be no subset with two identical letters, wouldn't make any sense. So you would have most of the protection intact, and the few latin-1 cases like ö ä ñ è etc. would be "known" quite quickly.

Kjella

Doesn't this mean the MS Search engine is broken?

[cheros]

I know this may look like a strange jump, bear with me ;-)

(1) the IDN "bug" isn't actually a bug - it's an abuse of multilingual facilities although I'd have to ask why a new character ID should be used for something that looks identical to something in English. But I digress.

(2) that IE isn't sensitve to the problem is bacsue it's behind in standards compliance. Not an unusual situation for MS when it comes to standards that aren't theirs, it just sits lower on their priority list. Now pay attention because this where it gets interesting.

(3) given that support for IDN at MS is still in its infancy, doesn't that imply that Windows code in general is a bit ignorant about the non-English world "out there"? Or, read in a different way, that MS code is actually incapable of rendering some international URLs correctly?

In summary - if MS can't really handle other languages it implies their search engine is unlikely to act differently - it implies the search engine wouldn't even be able to handle or present URLs in other charactersets, and presto, that part of the wordl doesn't exist according to MS.

Just an idea - tell me where I've gone wrong ;-).

= Ch =

Dropping and Disabling policy

[Elixon]

I really do not like the Mozilla's policy to disable whatever they can disable... I'm web developer and sometimes I regret that I have choosen the Gecko technology for our project. Instead of solving security issues Mozilla disables things like int. domain names support or drag and drop for remote application or you cannot even refresh or reload your own remote RDF resources because you do not have rights... Today I found that I do not have right to read properties on javascript textbox elements in events under certain circumstances... It is clear how they get the "hight security level" they repeat over and over in media: Threre is no security risk where are no features to secure. Is it risky? Disable it! Are you unsure about potenticial risk? Disable it to be sure!

On the other hand I everyday try to say to myself - do not give up - there is always some workaround and the technology is really great! And believe me - it IS GREAT. But mozilla seems to be too young... I'm really glad that things are moving so fast...

elixon

The "solution" is broken

[archeopterix]

Let me summarize:

1. Mixed scripts can be legit.
2. Therefore, turning IDL/mixed scripts completely is bad.
3. So, let's just show an icon indicating a mixed script/IDL use/whatever.

Point 1. gives a clue why the "solution" won't work. It won't prevent spoofing a legit domain name that is mix-scripted. The user would have to notice that the accent over 'e' is tilted the wrong way or something equally hard to spot.

This "solution" actually makes matters worse by giving false sense of security, just like any half-baked security measure.

Oh, *those* IDNs.

[jonadab]

Everybody knew those were fundamentally a bad idea in the first place.

I read "international domain names" and was thinking of anything in the
two-character-tld space (.us, .uk, and so forth), but this is talking about
*unicode* domain names, which is a whole nother animal.

Re:Who uses Firefox/Mozilla anyways?

[a11]

flamebait? what fucking retard modded that? that's a statistic. an actual one. and that guy is a dumb piece of shit. that's a fact. whoever modded this, do you know what flamebait means? you dumb fat ugly loser fuck. bite me.