Slashdot Mirror
Mozilla Drops Support for International Domains
tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."
There's a difference between "drops support" and "sets that option to 'off' by default", you know.
You can't take the sky from me...
No they didn't. They temporarily changed the default. Support for it certainly is still there.
It is good that after all the media news about Firefox actually having a security issue that the team moved to correct it, even if very short term. Unfortunetly I don't think this will get as much media coverage as the previous stories on it, but it is a step in the right direction. So, at least we don't have to wait for a fix, they will disable the issue, fix it, then reinable it. Sounds like good software development to me.
Doesn't Slashdot have editors that are supposed to analyze and edit user postings. "Dropping" and "disabling" mean two different actions. I got confused for a second or two. Lately, Slashdot quality has been going down the tubes.
Pretend for a moment that you live in Japan, or Russia, and you actually use websites that use these IDN characters.
Well, you wouldn't trust a site that doesn't present a valid certificate. The problem is that obtaining such is too expensive for many.
We need a reliable way for the a domain owner to get a certificate issued for that domain. This is mostly a bureaucratic problem, which could be solved, people willing.
Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
Nope. Did exactly that. about:config, clear cache, restart Firefox, test at secuna - wham. The spoof still works.
The Adblock method of stopping this (mentioned earlier) is a nice workaround. Adblock has become quite a useful tool.
Neurowiz
It's like curing calluses by chopping the legs off. It's about time that someone with a brain came in and fixed this phishing problem once and forever. Disabling international domains is not a solution. Remember, majority of the population of this planet doesn't speak English. Why should they NOT use their native alphabet?
This is not a solution, it's a workaround. A solution would be something that allowed to use IDN sites without risk of phishing.
This will block any URL that uses characters outside the normal ASCII range.
So why was IDN created at all?
Singularity: a belief in the "God" idea with the "demiurge" relation inverted.
Think about it: the aim of the IDN is so that the native readers of a non-ASCII language can use domains which make sense to them. If ASCII doesn't make sense, then what about the ".com"?
This whole IDN thing was designed improperly. I can't imagine why the designers didn't bother to take a look at the myriad character sets floating around out there. Just a cursory glance at the Unicode book would have given them second thoughts.
Pretend, also, that you occasionally use paypal.com. Wouldn't you like to see that the background changes from the familiar red to a soothing white for the real paypal link?
Making the colors configurable (maybe via two simple options: ``I regularly use IDN.'' and ``I don't usually use IDN.'') would take away most of the remaining objections.
``Simple and obvious'' does not mean ``wrong''.
See what I've been reading.
By your logic, Microsoft Word only supports Times New Roman and Windows XP only supports a screen resolution of 800x600.
Please die.
I dunno... when your entire security is dependent on the user being able to notice slight pixel changes on the screen, something seems a little broken...
> Looks like nobody listened to him though.
... well, everyone but DJB, he doesn't exactly make people want to listen to him. Given his manner and his licenses, the conclusion of even cold rational business-oriented security folks is that if they borrow djb's ideas elsewhere, he'll turn around and sue them for IP violations simply out of spite.
To the defense of
At any rate, his proposal for IDNC3 simply seems to be "just switch to UTF8, let everything break, and when it goes live, disallow any characters that are 'risky'". This is what we in the industry call a handwave. I'm not a fan of punycode either, but it addresses a problem that raw UTF8 precisely doesn't. There's simply nothing to his proposal at all.
I am no longer wasting my time with slashdot
Or they could just use the Unicode facilities for doing just that, as described in the Unicode Standard Annex #15 - Unicode Normalization Forms... I think it's a good question why the IDN committee didn't do that in the first place. Or why registries allows registrations for domains that are approximately equal to already existing ones.
-- Free speech is only free if your time is worth nothing.
It isn't IDN that's broken, it's users who don't read carefully before clicking a button.
Karma: It's all a bunch of tree-huggin' hippy crap!
No, that's an awful 'solution'. What about a domain name like http://www.m/#257;ori.co.nz/? I bet that doesn't even render correctly for you since you probably disabled international fonts too. Your stupid solution prevents people from accessing that site.
Or are countries supposed to not allow domain names to use characters from their language now? Chinese who don't speak a word of English are expected to guess an English version for local domains? I bet they'd like it as much as you'd like a new standard that only chinese characters are allowed in domain names since they are unambiguous.
Disabling international domain names is barely acceptable for a workaround. It sure isn't any sort of solution to the problem.
An ever better solution would be for fonts to appear in different COLORS.
Ahem, *cough* colour blind *cough*
horseshit. vävtak.com should take me to the same place as vavtek.com
/AC
NO! Why should it? ä is not the same letter as a (at least not in swedish and other north european countries)
a != ä != å
o != ö
I'm glad people understand sarcasm.
There just isn't any fix of this sort that actually works.
The official position of the people behind IDN (mostly domain registrars, speculators etc. but also a few genuinely well meaning people who thought they were doing some in the name of global unity) was that registries would do extensive anti-spoof checking.
Of course actually doing such checks would cost money, which would intefere with profitability, so instead outfits like Verisign said that they "hoped" people people wouldn't take advantage of their lax security to steal all your money. So if you happen to be a lawsuit-happy American, set your weasels on Versign. They're the people who issued the domain used to test this vulnerability, which appears to be "paypal" but is actually a spoof. They've issued dozens, probably hundreds by now of similar fakes, and make a lot of money from each one.
There are only 36 latin glyphs to learn (including the "arabic" numerals), and you need only be able to distinguish them from one another well enough to rememble squiggles for important sites. Adding a further thousand, ten thousand, or hundred thousand confusing squiggles in the name of "improved accessibility" is one of the hilarious mistakes made by people who can't tell the difference between "politically correct" and "totally stupid". None of the serious user error/ spoofing/ fraud problems were fixed in this standard, because they weren't fixable. Now that this is public knowledge, my guess is that IDN is as good as dead.