Slashdot Mirror


Mozilla Drops Support for International Domains

tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

5 of 365 comments (clear)

  1. network.enableIDN by athakur999 · · Score: 5, Interesting
    The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration


    Isn't this the "fix" that everyone found stopped working after you restarted the browser?

    --
    "People that quote themselves in their signatures bother me" - athakur999
  2. Simple answer... by andreMA · · Score: 3, Interesting

    Wouldn't rendering the characters in question as black-on-red in the status and location bar be a more effective solution? Or the entire background changes to red to warn the user that the characters they can read aren't the "actual" characters in the domain name?

  3. OUtstanding! Smart defaults by redelm · · Score: 4, Interesting
    I have always maintained that one of the keys to powerful software is carefully chosen defaults. Otherwise, there simply is too much for the user to learn before they see the value in learning it.

    Perhaps some of the international versions of Mozilla will have Int'l name _enabled_ by default. A quick peek at $CHARSET would do.

  4. Re:Honest question by Anonymous Coward · · Score: 4, Interesting

    Yes, There are plenty, especially in Sweden and northern Europe. Take for example vävtak.se.

    Anyway. I think this solution is truly bad. IDN is a fundamental change we need to the internet. Not only to incorporate local languages on to the Internet, but also to increase the number of available choices.

    Disabling IDN is really bad. Instead, as suggested by someone else here, the registrars should prevent/ban addresses that will look the same on screen as existing ones.

    In fact, couldn't Mozilla instead do a simple test and see if the domain name exists without the hidden characters. If it does then it should warn the user about it.

  5. Make IDNs more obvious by Mr.+Sketch · · Score: 3, Interesting

    Why don't they just make it obvious you're visiting an IDN? Similar to how they handle SSL sites, the location bar background turns yellow. Maybe for IDNs, they can make it red and flashing or something similar, so it's obvious to the user that something may be wrong. Maybe they could check and see if there is an equivalent looking domain name in english and then making it red and flashing to let the user know that it may not be the site they think they're visiting.

    There just seems to be other ways to handle it, since it really is more of a 'user beware' issue.