My previous journal entry was satire. It was not meant seriously, but was simply an observation about proposed solutions to IDN spoofing that have floated around lately.
The reality is that there is no real fix out there, but what I am about to suggest might be the best solution for people who are aware of the IDN spoofing problems.
You see, disabling IDN to fix the spoofing issue is overkill. It only solves a symptom, and not the problem itself. It is also only really a viable solution to people who only use ASCII characters. In addition to this, those that are aware of the setting will know about this issue, and therefore know how to protect themselves. The ones that do need protection do not know about the issue, and they do not know about the setting to disable IDN in Firefox.
So as you can see, disabling IDN has very limited use, and major drawbacks. To claim that Firefox fixed the spoofing issue in less than twelve hours is not understanding what the problem really is. I believe that Mozilla.org knows this, and will, like Opera, continue to look for a better, permanent solution.
My proposed fix will not work unless people are educated (which is the same as when you are told to disable IDN), and indeed, a better and more permanent solution which protects people who don't know (and/or don't care) is still needed. But it does not have the same drawbacks as disabling IDN does, such as making the browser useless if you happen to use the "wrong" character set.
Never open important URLs (such as online banking sites) by clicking links in e-mails or other pages. Instead, type them in manually, or even add a bookmark and use a nickname for quick access.
- This solution will not only protect you against IDN spoofs, but also any future spoofing vulnerabilities that may be discovered.
- It will not make it impossible for people outside English speaking countries to use localized URLs.
- It will not require the user to fiddle around with settings – all the user needs to do is to remember this simple rule, and follow it.
All it takes is to add a bookmark and give it a nickname. Then all you need to do is to type in the nickname in the URL field, and you will be taken to the site.
Does this mean that Opera Software does not take IDN spoofing seriously, or that nothing will be done? No. The above is my proposal for a better interim solution than the very limited options that are already available. Opera Software will of course continue to look into this issue, as it is an important issue which needs to be resolved.
But even when a real fix is available, the above is still a good idea, if only to protect oneself from possible spoofing attacks in the future.