Apple Blocks IDN Spoofing in Safari

1 Comment

Following in the footsteps of Mozilla and Opera, Apple has issued its monthly Mac OS X security update with a fix for the spoofing vulnerability caused by Internationalized Domain Names (IDN). Apple's Safari Web browser will now only display URL characters from an approved list, which can be customized by the user.

The problem with IDN -- uncovered in early February -- stems from its use of the Unicode character set to enable domain names that include international letters. Unicode URLs must be converted by a Web browser into a format called "Punycode," which opens the door for a malicious Web site to mimic a trusted URL, including its SSL security certificate.

Like Opera, Safari will now display URLs with non-approved characters in their native Punycode form in order to lessen the risk of spoofing. Apple, however, has not followed Opera's example of providing more details about the origin of SSL certificates.

According to Apple, "The default list does not include Latin lookalike scripts (Cherokee, Cyrillic, and Greek) that could be used to trick users into navigating to malicious sites. You can edit the list of allowed scripts to specify exactly what scripts you want displayed."

Mozilla Firefox was updated last month to block the display of any IDN URLs by default. For those using URLs with international characters, the feature can be re-enabled. Microsoft's Internet Explorer is the only Web browser not affected by the problem, as it was never updated to support the IDN specification.

Opera, meanwhile, has called on the industry to band together in developing a long-term solution to the issues surrounding IDN.

"Opera stands behind its statement made to BetaNews on Feb. 18, 2005, asserting that the IDN problem is not one that can be solved alone, but rather together with other browser vendors, domain name registries, certificate authorities and other members of the Internet community," the company said last month.

Mac OS X users can download the March security fix via Software Update.

1 Comment

One Response to Apple Blocks IDN Spoofing in Safari

Got News? Contact Us

Recent Headlines

Firefox Nightly expands to Linux on ARM64

How writing zip support for Windows almost cost its creator his job at Microsoft

Apple AirPlay comes to IHG Hotels and Resorts

Millennials are key targets for phishing

Get 'Applied Machine Learning and AI for Engineers' (worth $67.99) for FREE

Best Windows apps this week

The dynamics of modern Windows device management [Q&A]

Most Commented Stories

Say goodbye to Microsoft Windows 11 and hello to Nitrux Linux 3.4.0 'pl'

61 Comments

Windows 11 slammed for its 'comically bad' performance even on high-end hardware

18 Comments

Outrageous: Microsoft to charge $61 for Windows 10 updates -- consider switching to Linux!

17 Comments

Microsoft 'improves' Windows 11 by bringing ads to the Start menu in the US

16 Comments

Microsoft is up to its old tricks yet again -- Windows 10 users harassed with full-screen Windows 11 upgrade warnings

16 Comments

The stunning Windows 13 -- yes, 13! -- is the Microsoft operating system we want

14 Comments

Easter giveaway! Get a licensed copy of 'VideoProc Converter for Windows/Mac' (worth $78.90) for FREE

10 Comments

EndeavourOS ARM discontinued: A huge loss for the Linux community

9 Comments

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.