Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Drops Support for International Domains

Posted by Zonk on from the that-was-easy dept.

tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

28 of 365 comments (clear)

  1. Drops? by Anonymous Coward · · Score: 5, Informative

    They've disabled it by default until they come up with a long term solution. That's hardly dropping.

    1. Re:Drops? by bob65 · · Score: 4, Insightful

      No they didn't. They temporarily changed the default. Support for it certainly is still there.

    2. Re:Drops? by GrenDel+Fuego · · Score: 4, Informative

      Actually I think it's funny how people are so quick to defend Mozilla and say it's not dropping anything. The grandparent is right to point out that they are indeed dropping support. It doesn't matter if they're temporarily turning it off. They're turning off support. They are dropping default support in future versions of Firefox.

      I think what we have here is a terminology conflict here.

      Support for computer software can mean "ability to use" (eg. does linux support SCSI hard drives?) or "ability to get help with" (eg. is linux 2.2 still a supported kernel?)

      IDN is still supported in that the functionality still exists on mozilla once it is turned on.

      It is not supported in that it's known broken, and you use it at your own risk if you enable it.

    3. Re:Drops? by Rodness · · Score: 5, Informative

      Now I understand why the Mozilla community consistently blasts Slashdot for "not getting it". Lately it doesn't even seem like the submitters are even bothering to read the articles before they rush to post their mental mucus.

      Mozilla has temporarily disabled internationalized domain name handling until they figure out a long term fix. This is not 'dropping' anything. They're not ripping out the IDN code, they're just trying to protect their users while they figure out a fix, and most of the English-speaking world isn't even going to notice a difference anyway.

  2. Drops? by Scrameustache · · Score: 5, Insightful

    There's a difference between "drops support" and "sets that option to 'off' by default", you know.

    --

    You can't take the sky from me...

  3. That's False by Uruviel · · Score: 5, Informative

    It will be turned of in the 1.0.1 But for 1.1 and further releases they will look for a more cleaner way to fix the spoofing issue. And thus brining back IDN support. Here is a link to the Mozillazine article: http://www.mozillazine.org/talkback.html?article=6 073

    1. Re:That's False by Qzukk · · Score: 5, Informative

      A fix is pretty easy, but requires two parts:
      1) Amend the IDN spec to require that valid IDN urls use the lowest-numbered codepoints that match that glyph.
      2) Have browsers use a table that identifies all the characters that share a glyph. Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

      Of course, this still can't stop people who just refuse to look closely at the URL. The payqal.com domain is taken, who knows what its used for...

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    2. Re:That's False by interiot · · Score: 4, Insightful

      I dunno... when your entire security is dependent on the user being able to notice slight pixel changes on the screen, something seems a little broken...

  4. network.enableIDN by athakur999 · · Score: 5, Interesting
    The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration


    Isn't this the "fix" that everyone found stopped working after you restarted the browser?

    --
    "People that quote themselves in their signatures bother me" - athakur999
    1. Re:network.enableIDN by mikeophile · · Score: 4, Informative

      Clear your cache in Tools/Options/Privacy and restart Mozilla. Or go here and try this. /thank BoingBoing

  5. NOOOOOO!! by Anonymous Coward · · Score: 5, Funny

    Not .cx!!?!? Don't drop support for .cx!!!

    1. Re:NOOOOOO!! by northcat · · Score: 5, Informative

      No, it's not dropping support for country specific TLDs (did i use the right term?). .cx, .us, .de etc., will all work. It disabled support for Internationalized domain names. Internationalized domain names are domain names with characters from non-english languages. http://www.verisign.com/products-services/naming-a nd-directory-services/naming-services/internationa lized-domain-names/index.html. IE doesn't support this too. It's all in TFA.

  6. Re:Mozilla is an American project by Anonymous Coward · · Score: 5, Funny

    What's this "international" thing people keep talking about?

    It's where you go to fight wars.

  7. OUtstanding! Smart defaults by redelm · · Score: 4, Interesting
    I have always maintained that one of the keys to powerful software is carefully chosen defaults. Otherwise, there simply is too much for the user to learn before they see the value in learning it.

    Perhaps some of the international versions of Mozilla will have Int'l name _enabled_ by default. A quick peek at $CHARSET would do.

  8. Correction by Stiletto · · Score: 5, Informative

    The submitter SHOULD have mentioned that Mozilla has decided to disable internationalIZED domain names, ones made of "funny" unicode characters.

    International domain names like .uk .au, and our favorite, .cx, are of course still supported.

  9. Re:How about selective INT Domain Filtering? by PurpleFloyd · · Score: 5, Informative

    This isn't about turning off domains like .kr. Rather, it's about turning off Unicode support in domain names - currently, in browsers which support IDN, it's possible to send someone to a URL which looks like "https://www.paypal.com" but really has a letter replaced with a non-English Unicode character which looks the same. This deactivation turns off support for Unicode domain names, not national domains.

    --

    That's it. I'm no longer part of Team Sanity.
  10. hmph by miruku · · Score: 5, Informative

    have they not read this?

    --
    MilkMiruku
  11. Re:Fix it now. by el_gordo101 · · Score: 4, Informative

    5) Close all instances of Firefox, restart Firefox
    6) Go check out the shmoo demo again and notice it works again.

    This "fix" only works temporarily. Once you restart the browser, it reverts back to the original behavior.

    --
    TODO: Insert witty sig
  12. Re:Those dirty foreigners by Anonymous Coward · · Score: 4, Funny

    In Soviet Russia, dirty foreigner is you

  13. Re:Honest question by Anonymous Coward · · Score: 4, Interesting

    Yes, There are plenty, especially in Sweden and northern Europe. Take for example vävtak.se.

    Anyway. I think this solution is truly bad. IDN is a fundamental change we need to the internet. Not only to incorporate local languages on to the Internet, but also to increase the number of available choices.

    Disabling IDN is really bad. Instead, as suggested by someone else here, the registrars should prevent/ban addresses that will look the same on screen as existing ones.

    In fact, couldn't Mozilla instead do a simple test and see if the domain name exists without the hidden characters. If it does then it should warn the user about it.

  14. IDNC3 by StarDrifter · · Score: 5, Informative

    D. J. Bernstein (djbdns, qmail, ...) saw this problem coming back in 2002. He proposed an alternative to IDNA called IDNC3 which he claimed wouldn't cause this kind of mess. Looks like nobody listened to him though.

  15. Can you identify an IDN? by jfengel · · Score: 5, Informative

    The problem is that you can't always easily identify an international domain name. In particular, IDNs contain characters that are nearly identical to Latin character set but are treated differently. Slashdot won't let me put in examples, but examples here.

    The paypal.com one is particularly scary. It looks like paypal.com in your status bar when you hover over the link. It reads paypal.com in your address bar. But it isn't Paypal. That's because the "a" isn't an "a" but is really Unicode D0B0 If they'd put any effort into making it look like Paypal, it would be easy for somebody to direct you there and steal your Paypal password.

    In Firefox and IE they're indistinguishable. Even if they added a clue that something was different (e.g. colors to indicate an IDN) you'd have to look closely, and if IDNs became common you'd start to ignore the color coding. If the only difference between "paypal.com" and an identical spoof were small, you'd get tired of looking closely, and forget. If the warning was unignorable, like a popup, you'd turn it off.

    So the upshot is, yeah, beware of web sites you don't know, but with IDNs you don't always know whom you know.

  16. Re:Internations by Tackhead · · Score: 5, Informative
    > If you ever go to an international domain name you such be looking out for scams anyway.

    No, no, no. IDN's aren't about country codes, they're about special character codings that result in things in your status bar that look like their ASCII equivalent characters, but aren't.

    Don't worry, that special site hosted in Christmas Island will continue to resolve just fine. :)

  17. We need to tighten up web certificates by EsbenMoseHansen · · Score: 4, Insightful

    Well, you wouldn't trust a site that doesn't present a valid certificate. The problem is that obtaining such is too expensive for many.

    We need a reliable way for the a domain owner to get a certificate issued for that domain. This is mostly a bureaucratic problem, which could be solved, people willing.

    --
    Religion is regarded by the common people as true, by the wise as false, and by rulers as useful.
  18. Real solution... by Sylver+Dragon · · Score: 4, Informative

    A real solution for this problem is posted here

    The applicable part is:
    1. Install the Adblock Firefox extension.
    here
    2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

    3. Tick 'Site Blocking'

    4. Add the following filter :-
    /[^\x20-\xFF]/

    --
    Necessity is the mother of invention.
    Laziness is the father.
  19. Re:Fix it now. by Neurowiz · · Score: 4, Insightful

    Nope. Did exactly that. about:config, clear cache, restart Firefox, test at secuna - wham. The spoof still works.

    The Adblock method of stopping this (mentioned earlier) is a nice workaround. Adblock has become quite a useful tool.

    --
    Neurowiz
  20. It's like curing calluses by chopping the legs off by melted · · Score: 4, Insightful

    It's like curing calluses by chopping the legs off. It's about time that someone with a brain came in and fixed this phishing problem once and forever. Disabling international domains is not a solution. Remember, majority of the population of this planet doesn't speak English. Why should they NOT use their native alphabet?

  21. Well.. by raehl · · Score: 5, Funny

    It's used to send me money, of course.

    Thanks,
    Qal

    --
    paintball