Slashdot Mirror
Mozilla Drops Support for International Domains
tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."
Isn't this the "fix" that everyone found stopped working after you restarted the browser?
"People that quote themselves in their signatures bother me" - athakur999
Wouldn't rendering the characters in question as black-on-red in the status and location bar be a more effective solution? Or the entire background changes to red to warn the user that the characters they can read aren't the "actual" characters in the domain name?
Perhaps some of the international versions of Mozilla will have Int'l name _enabled_ by default. A quick peek at $CHARSET would do.
International domains are dying, and Netcraft confirms it?
In Repressive Burma, it's not just your connection that dies. slashdot.org/comments.pl?sid=314547&cid=20819199
Yes, There are plenty, especially in Sweden and northern Europe. Take for example vävtak.se.
Anyway. I think this solution is truly bad. IDN is a fundamental change we need to the internet. Not only to incorporate local languages on to the Internet, but also to increase the number of available choices.
Disabling IDN is really bad. Instead, as suggested by someone else here, the registrars should prevent/ban addresses that will look the same on screen as existing ones.
In fact, couldn't Mozilla instead do a simple test and see if the domain name exists without the hidden characters. If it does then it should warn the user about it.
Why don't they just make it obvious you're visiting an IDN? Similar to how they handle SSL sites, the location bar background turns yellow. Maybe for IDNs, they can make it red and flashing or something similar, so it's obvious to the user that something may be wrong. Maybe they could check and see if there is an equivalent looking domain name in english and then making it red and flashing to let the user know that it may not be the site they think they're visiting.
There just seems to be other ways to handle it, since it really is more of a 'user beware' issue.
Things you think are in the Constitution, but are not.
When a user browses a bookmarked or frequently visited domain a 'star' (or some other simple symbol) appears at the end of the URL (or next to where the SSL Padlock icon appears in the browser). The user could now easily identify that they are indeed browsing on one of their favoured websites. The browser itself is able to know this because it can grab a list of domains from the users bookmarks and look in the users history to see frequently accessed domains, for example sites accessed on more that 10 separate occasions (this figure could be set to something more suitable, it is just an initial guess at a good figure).
If you are a Paypal user for example you are likely to have Paypal bookmarked or at the very least you will probably visit it regularly. If some website or email links to a fake Paypal then when the site loads the star will be missing from the address bar field since it will be the first time you have used this fake site. Hence it is easy for the user to see something is wrong. Hopefully users would get used to the idea that their favourite sites always display a star in the address bar, so this would start to become obvious.
Maybe it would require educating the users about what the star is and why it appears there but this had to be done when the SSL padlock was first added to the browser. I reckon people would pick this up in no time.
I have suggested this on the Opera forums (I'm an Opera user). I may also suggest it on some of the Mozilla forums. Even if Firefox/Mozilla did not make it default perhaps someone could create a plugin (which is currently beyond me).
I have had some criticisms of the idea. For example someone pointed out that the first time you visit a new safe website no star would be present. Also, not all people use bookmarks extensively. My response has generally been along these lines:
When you first visit a site you don't know if you can trust the site anyway. I'm usually cautious of new sites the first few times. I am that little bit more nervous about giving them personal data or credit card information hence I check the site out more carefully. I bet most people are the same. Furthermore after you have come back and used that site a few times and hence presumably are happy with it, it would move to one of your most frequently visited sites (or you might even bookmark it). After this point a star would display.
Regarding bookmarks, it is true that many people don't use bookmarks and in the age of Google you might even say why bother but many people do and if people knew that by bookmarking a site they could later verify it was the same site they had been to previously they may be willing to start bookmarking again, even if only for financial sites. Instead of bookmarking (or even in addition to bookmarking) you might also have the option of clicking on a button to say, "remember this as a known domain name", form that point on it would also show a star.
Another thought was that "you'd have to be careful as to what you count as hits to prevent sites from tricking the user into a couple of hits to their website, or some javascript to loop pages". I'm thinking of sites being automatically added only after a user has visited them on 10 separate days.
It does not solve all issues but it makes it a damn sight easier to pick out when you are on a fake version of one of your favourite sites, which is the main issue as far as I can tell. Also, it requires little user effort (worst case, you do the one time action of bookmarking the sites you are worried might be spoofed).
Finally an extra advantage of this method is that it helps prevent other types of spoofing, for example when fraudsters substitute ASCII characters (e.g. '0' for 'o').
Anyway if you think it is a good idea feel free to spread it around as a suggestion to anyone who you think might be influential in development of any of the popular browsers. Or anyone good at writing plugins!
Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.
Setting aside other issues, I'd say that is very very VERY bad implementation. If the browser is given an invalid address then the browser should not invisibly guess at rewriting it into a valid address. Better to have invalid addresses trigger immediate errors and be killed off / corrected in the first place. It would be an absolute nightmare to encourage impossible to trace down bugs caused by quasi-valid and conflicting addresses that took identical and inexplicably sometimes go to the right place and sometimes don't. Remember, that address may pass through a chain of 14 different programs from different sources potentially in varying orders. Imagine clicking on a pseudo-valid address in an e-mail going through the e-mail program and through spam filter and through a proxy and off to a browser and throgh another proxy then to the local IP stack and then out to the DNS system and back to the local IP stack and through your ISP's proxy and cache and THEN first going out to the website.
At some effectively random point it gets changed into a completely a different address. A different address which looks identical to any human attempting to hunt down a bug. It's worse than looking for an invisible needle in a haystack, you haven't even figured out yet that you're looking for a needle much less an invisible needle.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
Maybe the plugin could be modified just to send up an alert only if individual words (serarated by full-stops) were comprised of mixed character sets. This way, most world addresses could be used normally, and the range of spoofable addresses reduced considerably, that is, paypal.com couldn't be spoofed, but ABC.com could (with Cyrillic ABC).
So no, that doesn't resolve it, but it recommends a (general) way to deal with it.
Obviously, Mozilla should have followed that recommendation instead of ignoring it.
Free as in mason.