Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Plugs IDN Spoof Bug

Posted by timothy on from the gosh! dept.

mmarlett writes "Security Update 2005-003 updates Safari's support for International Domain Names (IDN) to prevent lookalike characters from being used to spoof the URL displayed in the address field, SSL certificate, or status bar. Opera fixed this in Feburuary while Mozilla just dropped support for IDNs, and you may recall that Internet Explorer did not suffer from this exploit because it sucks."

3 of 26 comments (clear)

  1. A good solution by cuijian · · Score: 4, Interesting

    This seems like a much better short-term solution than other browsers have come up with. Apple managed to keep International Domain Name support for most of their customers (particularly in countries like Japan and China where they are starting to be widely used) and address the security issue.

    I'm not sure what the right long-term solution is. Its not ideal to have to turn off support for Cherokee, Cyrillic and Greek. It seems like the domain registrars need to take some of the responsibility.

    1. Re:A good solution by gorre · · Score: 5, Interesting
      I'm not sure what the right long-term solution is. Its not ideal to have to turn off support for Cherokee, Cyrillic and Greek.
      Perhaps rendering non-ASCII characters in a different colour so the user can tell the difference between a lookalike character and the "real thing" could be an option? Not perfect but it's something that springs to mind which may be better than turning off IDN support completely.
      --
      "Madness is something rare in individuals - but in groups, parties, peoples, ages it is the rule." -- Nietzsche
  2. Mozilla didn't drop it... by Anonymous Coward · · Score: 2, Interesting

    At least Firefox already implements the same solution as Apple, to display the url in punycode form.