Opera Fixes IDN Spoofing in Opera 8.0 Beta 2

Opera Watch writes "Opera has introduced a fix for the IDN spoofing security vulnerability in its latest beta version. The new version, Opera 8.0 beta 2, was released today on its FTP directory. No official announcement from Opera yet. Opera has created a white list for safe top-level domain names which include .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch, and .li. Sites not in the white list will show the encoded domain (with the IDN characters) in the URL field. The list is updated automatically when Opera checks for a new version."

Whitelists ignrore third-level domains.

[molo]

The problem with whitelisting TLDs is that this ignores problems with bogus third-level domains/hosts. The listed registrars prevent registering look-alike domains, but no one controls look alike third-level domains.

For example, ωωω.paypal.jp (using greek omega). This can be combined with a DNS cache attack.

-molo

Re:Whitelists ignrore third-level domains.

I don't understand your point. To do that, you need to be in control of paypal.jp already, in which case why bother with spoofing?

If you're talking about making misleading third level domains under your own domain name, there's also no need to spoof anything. It's already possible to set up paypal.mydomain.com without having to resort to obscure character sets.