Mozilla Drops Support for International Domains

tsu doh nimh writes "Netcraft has the story that Mozilla has decided to drop support for international domain names in future versions of its Firefox Web browser. The decision comes after demonstrations by the Schmoo Group that the feature can be used to aid in phishing scams and other browser naughtiness." From the article: "The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved."

Drops?

They've disabled it by default until they come up with a long term solution. That's hardly dropping.

Re:Drops?

[Rodness]

Now I understand why the Mozilla community consistently blasts Slashdot for "not getting it". Lately it doesn't even seem like the submitters are even bothering to read the articles before they rush to post their mental mucus.

Mozilla has temporarily disabled internationalized domain name handling until they figure out a long term fix. This is not 'dropping' anything. They're not ripping out the IDN code, they're just trying to protect their users while they figure out a fix, and most of the English-speaking world isn't even going to notice a difference anyway.

Drops?

[Scrameustache]

There's a difference between "drops support" and "sets that option to 'off' by default", you know.

That's False

[Uruviel]

It will be turned of in the 1.0.1 But for 1.1 and further releases they will look for a more cleaner way to fix the spoofing issue. And thus brining back IDN support. Here is a link to the Mozillazine article: http://www.mozillazine.org/talkback.html?article=6 073

Re:That's False

[Qzukk]

A fix is pretty easy, but requires two parts:
1) Amend the IDN spec to require that valid IDN urls use the lowest-numbered codepoints that match that glyph.
2) Have browsers use a table that identifies all the characters that share a glyph. Any invalid IDNs are mapped down to the lowest codepoints before the browser goes there, so a link to a fake paypal.com address actually goes to the real paypal.com address.

Of course, this still can't stop people who just refuse to look closely at the URL. The payqal.com domain is taken, who knows what its used for...

network.enableIDN

[athakur999]

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration

Isn't this the "fix" that everyone found stopped working after you restarted the browser?

NOOOOOO!!

Not .cx!!?!? Don't drop support for .cx!!!

Re:NOOOOOO!!

[northcat]

No, it's not dropping support for country specific TLDs (did i use the right term?). .cx, .us, .de etc., will all work. It disabled support for Internationalized domain names. Internationalized domain names are domain names with characters from non-english languages. http://www.verisign.com/products-services/naming-a nd-directory-services/naming-services/internationa lized-domain-names/index.html. IE doesn't support this too. It's all in TFA.

Re:Mozilla is an American project

What's this "international" thing people keep talking about?

It's where you go to fight wars.

Correction

[Stiletto]

The submitter SHOULD have mentioned that Mozilla has decided to disable internationalIZED domain names, ones made of "funny" unicode characters.

International domain names like .uk .au, and our favorite, .cx, are of course still supported.

Re:How about selective INT Domain Filtering?

[PurpleFloyd]

This isn't about turning off domains like .kr. Rather, it's about turning off Unicode support in domain names - currently, in browsers which support IDN, it's possible to send someone to a URL which looks like "https://www.paypal.com" but really has a letter replaced with a non-English Unicode character which looks the same. This deactivation turns off support for Unicode domain names, not national domains.

hmph

[miruku]

have they not read this?

IDNC3

[StarDrifter]

D. J. Bernstein (djbdns, qmail, ...) saw this problem coming back in 2002. He proposed an alternative to IDNA called IDNC3 which he claimed wouldn't cause this kind of mess. Looks like nobody listened to him though.

Can you identify an IDN?

[jfengel]

The problem is that you can't always easily identify an international domain name. In particular, IDNs contain characters that are nearly identical to Latin character set but are treated differently. Slashdot won't let me put in examples, but examples here.

The paypal.com one is particularly scary. It looks like paypal.com in your status bar when you hover over the link. It reads paypal.com in your address bar. But it isn't Paypal. That's because the "a" isn't an "a" but is really Unicode D0B0 If they'd put any effort into making it look like Paypal, it would be easy for somebody to direct you there and steal your Paypal password.

In Firefox and IE they're indistinguishable. Even if they added a clue that something was different (e.g. colors to indicate an IDN) you'd have to look closely, and if IDNs became common you'd start to ignore the color coding. If the only difference between "paypal.com" and an identical spoof were small, you'd get tired of looking closely, and forget. If the warning was unignorable, like a popup, you'd turn it off.

So the upshot is, yeah, beware of web sites you don't know, but with IDNs you don't always know whom you know.

Re:Internations

[Tackhead]

> If you ever go to an international domain name you such be looking out for scams anyway.

No, no, no. IDN's aren't about country codes, they're about special character codings that result in things in your status bar that look like their ASCII equivalent characters, but aren't.

Don't worry, that special site hosted in Christmas Island will continue to resolve just fine. :)

Well..

[raehl]

It's used to send me money, of course.

Thanks,
Qal