Print this article  |  E-mail this article  |  Comment on this article

Mozilla Drops IDN Support Due to Flaw

By David Worthington, BetaNews

February 15, 2005, 6:47 PM

Mozilla developers are closing the door on phishing schemes that exploit a widely reported flaw in the Internationalized Domain Names (IDN) specification. Upcoming builds of Firefox 1.0.1, Mozilla 1.7.6 and Mozilla 1.8 beta will have IDN disabled as a temporary corrective measure to protect users from identity theft.

IDN is presently enabled by default in Firefox, Mozilla, Opera, and Apple's Safari Web browsers. Microsoft's Internet Explorer does not have native IDN support and therefore is not affected by the problem.

The flaw permits malicious users to "spoof" legitimate Web pages by taking advantage of how some Web browsers handle the Unicode unified character set utilized by IDN. A specially crafted link can mimic a trusted URL in a browser's address bar, SSL certificate and status bar, but take the user to another location.

Unicode is the globally recognized replacement for the US English only ASCII standard.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," read a statement issued by a Mozilla spokesperson. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

The Mozilla team is brainstorming long term solutions, which include a mixture of warning bars, icons and tooltips.

In a follow up statement, developers said that they did not want to, "have the disadvantage of discriminating against IDN as a class of domains," and stressed that they did not intend to be "Anglocentric" by restricting character sets.

Add a Comment (14 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By acey99

posted Feb 16, 2005 - 12:22 AM

So it MAY take ypu to another site.
atleast it doesn't allow code to say format your hd, or just bomb your comp like 95% of the stuff does for IE.

Everytime I see a patch or flaw with IE it's a security issue, in 2004 there were like ehat, 2-3 dozen of those & all of them had to do with users being able to take over your system directly, not be pushed to another site.

Besides it is an IDN issue, not mozilla,Opera or KDE

Catch a clue, buy a vowel!

Score: 0

By snoopy3216

posted Feb 15, 2005 - 7:15 PM

cant fix it, or patch it in time so they disable it, sorry POS, and they also blame.... "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

when the bottom line is there browser is the last point to make sure these things dont happen

Score: 0

By spiffyjeff

edited Feb 16, 2005 - 5:56 AM

I laugh at you for such comments.

First of all, if MS had this problem, they would call it a "security update" or a "patch," not disabling a feature - this is a feature that MS doesn't even support btw. MS once called the act of uninstalling their version of Java an "update" when it was really legal issues - what do you think about that? I dunno, maybe they were supposed to make it sound good, which it was, except to MS.

2nd, disabling this feature will bring FireFox to the same point as MS on that particular feature.

I have been paying more attention to betanews lately, and the articles they put out always make MS look good, and articles such as this make open source, ms's competition, look bad.

Score: 0

By nate

posted Feb 15, 2005 - 7:39 PM

Read the article - the problem is in the IDN specification itself NOT the browser. Microsoft hasn't added support because IE hasn't been updated since XP in 2001. It's not because IE is better that it's unaffected, it's because development has been slow and so Microsoft got lucky.

But again, this is a specification issue. Which means VeriSign and ICANN need to go back to the drawing board and figure out another option.

Score: 0

By eunichman

posted Feb 16, 2005 - 7:06 AM

I applaud both ms and mozilla on their approaches to this issue. each took a different view on how to handle an issue beyond their control. in the end it isnt how the problem is handled, it is the fact that it WAS handled (gasp.. yes, I actually gave praise to microshaft for a change :) )

Score: 0

By Pipewrench

posted Feb 15, 2005 - 8:01 PM

nate,

I totally agree. Because Microsoft has been slackers with IE they did get lucky on this one. There is no need for IDN in a browser anyway. At least for 95% of the users.

Score: 0

By nate

posted Feb 15, 2005 - 8:25 PM

Agreed. Not that I blame them, but VeriSign is primarily promoting IDN because it means... more domain names! More domain names means... more money!

And in reality, IDN is really going to cause more trouble and confusion then it's worth.

Score: 0

By Planet.Of.Wounds

posted Feb 16, 2005 - 1:23 AM

"more domain names! More domain names means... more money!"

And that's... bad?

Score: 0

By nate

posted Feb 16, 2005 - 6:49 AM

That can be argued both ways. But my point was that VeriSign's reasons for backing IDN are business related - not some noble cause.

However, it is bad if it means people are just going to register paypal.com with a different "a" and take advantage of unsuspecting users.

Score: 0

By Planet.Of.Wounds

posted Feb 16, 2005 - 2:42 PM

"That can be argued both ways."

Pray tell, I'd love to hear the other way.

"But my point was that VeriSign's reasons for backing IDN are business related - not some noble cause."

1.) Verisign is a business. Are you blaming a business for... making business?
2.) Exactly why and how making business is bad anyway?
3.) Please define 'noble cause'. Thanks.

Score: 0

By Maxwolf

posted Feb 16, 2005 - 8:20 AM

One of the first major flaws found in Mozilla software and what happens? They have to perform a complete over-haul of the IDN code most likley because in the back of their minds they know pop-ups, notifications are the cheap way out of this problem.

They just tell you to turn it off, I guess all those stupid "patches" and "updates" from Microsoft don't look so dumb after all. So much for the lightning fast reaction times of the open source community.

Score: 0

By stuclark

posted Feb 17, 2005 - 4:52 AM

WTF are you talking about? Have you even read the Mozilla response to the IDN problem? Have you looked at their Bugzilla entries for the IDN bug?

There's nothing wrong with their IDN code, it's functioning in exactly the same way as Opera's is. (BTW, Opera's response is to do nothing at all!) All Mozilla have done is to change the DEAULT value of a preference. All it means is that the user has to *specifically* turn the feature on, rather than off - that's giving the user more control and thus more security.

The "long trm fix" being discussed by Mozilla is likely to be an "in-your-face" pop-up type warning if you turn on or navigate to an IDN site. They're not talking about re-writing the underlying code!

Score: 0

By eunichman

posted Feb 17, 2005 - 2:41 AM

wtf?!? how did the open source community get brought into this? This is a report in the flaw of IDN and two different responmses to handle it. It constitutes ONE patch for IE.. what about all the hundreds of others not related to this issue but in security issues in IE and windows itself.

Peddle your hatemongering elsewhere

Score: 0

By Maxwolf

posted Feb 17, 2005 - 9:14 AM

"There's nothing wrong with their IDN code, it's functioning in exactly the same way as Opera's is."

I know it's working like it suppost to...but there is a major flaw discovered in it. This is not a simple problem because not only does this affect Mozilla but multiple browsers on multiple platforms.

My comment on the open-source community was the boasting of how fast the reaction time is to discovered security holes. Just because it's in Bugzilla or any other database does not mean anything because the problem is still there.

And it constitutes no patch for IE because it doesn't use IDN standards. Thank you very much.

Score: 0

Jul 8 - 6:44 PM ET Siemens announces massive worldwide job cuts

Jul 8 - 6:23 PM ET Angry YouTube users boycott, Viacom seems to respond

Jul 8 - 6:13 PM ET World saved: There will be Scrabble on Facebook

Jul 8 - 5:57 PM ET Major fix to DNS vulnerability impacts Windows, Debian

Jul 8 - 5:46 PM ET PayPal, Google team in anti-phishing initiative

Jul 8 - 5:20 PM ET Sprint's answer to its troubles: better customer service

Jul 8 - 5:11 PM ET Face it, mobile TV doesn't need the set any more

Jul 8 - 5:07 PM ET Dawn finally nears for JBoss AS 5.0 application server

Jul 8 - 3:58 PM ET Microsoft to host 'Deskless Worker' entry-level Web services

Jul 8 - 3:23 PM ET Google adds fuel to Canada's BitTorrent throttling fracas