A better cross-browser fix for IDN spoofing



My previous journal entry was satire. It was not meant seriously, but was simply an observation about proposed solutions to IDN spoofing that have floated around lately.

The reality is that there is no real fix out there, but what I am about to suggest might be the best solution for people who are aware of the IDN spoofing problems.

You see, disabling IDN to fix the spoofing issue is overkill. It only solves a symptom, and not the problem itself. It is also only really a viable solution to people who only use ASCII characters. In addition to this, those that are aware of the setting will know about this issue, and therefore know how to protect themselves. The ones that do need protection do not know about the issue, and they do not know about the setting to disable IDN in Firefox.

So as you can see, disabling IDN has very limited use, and major drawbacks. To claim that Firefox fixed the spoofing issue in less than twelve hours is not understanding what the problem really is. I believe that Mozilla.org knows this, and will, like Opera, continue to look for a better, permanent solution.

My proposed fix will not work unless people are educated (which is the same as when you are told to disable IDN), and indeed, a better and more permanent solution which protects people who don't know (and/or don't care) is still needed. But it does not have the same drawbacks as disabling IDN does, such as making the browser useless if you happen to use the "wrong" character set.

The solution

Never open important URLs (such as online banking sites) by clicking links in e-mails or other pages. Instead, type them in manually, or even add a bookmark and use a nickname for quick access.

  • This solution will not only protect you against IDN spoofs, but also any future spoofing vulnerabilities that may be discovered.
  • It will not make it impossible for people outside English speaking countries to use localized URLs.
  • It will not require the user to fiddle around with settings – all the user needs to do is to remember this simple rule, and follow it.

All it takes is to add a bookmark and give it a nickname. Then all you need to do is to type in the nickname in the URL field, and you will be taken to the site.

Does this mean that Opera Software does not take IDN spoofing seriously, or that nothing will be done? No. The above is my proposal for a better interim solution than the very limited options that are already available. Opera Software will of course continue to look into this issue, as it is an important issue which needs to be resolved.

But even when a real fix is available, the above is still a good idea, if only to protect oneself from possible spoofing attacks in the future.

Advertisements

5 thoughts on “A better cross-browser fix for IDN spoofing

  1. The morning is a little more quiet here and I'm feeling better reading this journal entry than yesterday's. At least it sounds reasonable! 🙂

  2. Well, Polish users have egaged an old font displacement bug to fight the IDN problem. 😉

    Font displacement bug exists since Opera 6.0 times… More info: http://tinyurl.com/3zaht

    The demo links mentioned in the above thread are dead now. Excerpt from my old "Opera 6 Bugs" page:
    xxx
    If the font does not claim to support Unicode blocks, then Opera replaces it with another font. The visual effect of the bug depends on fonts installed on your system and is usually poor.
    We know that some of the page authors are PASes but not even a PAS would use a font which does not support characters which are supposed to be displayed on the page… So, why should Opera replace fonts? Switching off the font replacement feature could be an option, at least.
    xxx

    A closer look at the problem (in Polish) : http://www.operapl.prv.pl/dispfonts.html

    In this thread: http://my.opera.com/forums/showthread.php?s=&threadid=80983&perpage=25&pagenumber=1#post828428 quiris says:

    xxx
    Haw-haw. So I'll suggest one more method to distinguish a bad address from the good one. Go to Preferences/Fonts and choose any non-unicode font for "User interface dialogs", such as "MS Sans Serif". Now we may use the Opera font displacement bug to detect these nasty URLs :D.
    xxx

    BTW, will the font displacement bug be ever fixed?

  3. This may be a messy solution but, why not change hyperlinks to their real urls as a setting? That way, people have an option to see where they are going to, could this already be applied via css?

  4. Instead of doing nothing, Opera could underline international characters in the address bar. It would provide a way to actually SEE that something's wrong. Add tooltips over this and you've got a pretty comprehensive solution.

    (Well *I* don't see why this wouldn't work)

Comments are closed.