Opera Calls for Consortium on IDN Fix
Opera Software has called on its fellow browser makers and the Internet community as a whole to band together in an effort to fix the security issues related to Internationalized Domain Names. The IDN standard was called into question earlier this month following news that it could lead to domain spoofing and phishing attacks.
The problem with IDN stems from its use of the Unicode character set to enable domain names that include international letters. But because the DNS system that facilitates the Internet only understands ASCII, or U.S. English characters, Unicode URLs must be converted by a Web browser into a format called "Punycode."
In this conversion lies the potential for a malicious Web site to mimic a trusted URL, including its SSL security certificate. With Unicode, it is possible to have numerous characters called "homographs" that appear identical when displayed, but are actually completely different.
For example, paypal.com using a Unicode Cyrillic a actually loads up the URL: xn--pypal-4ve.com. But the Web browser displays the Unicode character as it would a standard ASCII letter, leaving the user unaware of his actual location on the Web.
"Technically speaking, Opera and other non-IE browsers run into a problem because they have implemented a standard correctly," Carsten Fischer, Opera's VP of Desktop Products, told BetaNews. IE is immune to the issue because it has yet to natively support IDN; however, a VeriSign plug-in can provide the functionality.
Earlier this week, Mozilla developers announced the next release of Firefox would disable IDN as a temporary corrective measure until a long-term solution is found. Opera says it will provide its own fix in an upcoming preview release of Opera 8, while noting any "solution must find a balance in how information is presented to the user."
One of IDN's authors, Paul Hoffman, was quick to respond to the press reports and dismissed suggestions to simply drop support for the standard. "Given the assumption that billions of people would actually like to have their domain names be in characters that they use every day, there has to be better solutions to the homograph spoofing problem," Hoffman wrote on his Web log.
Hoffman suggested creating a pop-up that informs a user when they visit an IDN domain that contains multiple character sets. "The difficult question is how to show the pop-up in a way that alerts about spoofing but doesn't get in the way of normal IDNs," he said.
But Opera's Fischer said URL display is a complex issue. "Pop-up warnings are clearly not a workable solution, and visual clues need to be sufficiently to the point - though not obtrusive for valid URLs, while remaining conspicous enough for unusual cases. This is a difficult balancing act."
Fischer did not suggest a solution, but said the problem will require some kind of user interaction and educated decision-making. "This is why we believe this problem cannot be solved alone, but rather together with members of the Internet community. This has to become a joint effort of browser vendors, domain name registries and certificate authorities."
"Together we can find solutions that can ban suspicious character mixing and give certificates additional trustworthy information that is difficult to
spoof," Fischer said. "This is a problem for the entire Internet society."