IE7 to Support International Domains

Microsoft said this week that Internet Explorer 7 will finally provide support for international domain names (IDN), detailing a number of security measures it will put into place to prevent phishing and spoofing attacks. Firefox, Opera and Safari implemented similar protections earlier this year.

The problem with IDN stems from its use of the Unicode character set to enable domain names that include international letters. Unicode URLs must be converted by a Web browser into a format called "Punycode," which opens the door for a malicious Web site to mimic a trusted URL, including its SSL security certificate.

Opera was the first to tackle the problem in February, adding a yellow security bar to show the name of the organization that owns the SSL certificate and only displaying IDN URLs for certain top-level domains certified by the company.

Apple followed suit with an update to Safari in March, making the browser display URLs with non-approved characters in their native Punycode form. Firefox initially removed support for IDN altogether, then added the feature for certain top-level domains with anti-spoofing policies.

Instead of white-listing specific domains, Microsoft has taken a different approach with IE7. The browser will detect what language scripts are being used in the URL and if it contains characters outside the chosen languages, IE7 will display the domain name in Punycode form.

The idea is to prevent a mixture of characters that could lead to spoofing, without taking away from IDN's usefulness.

"There is little doubt that showing the Punycode form leaves no ground for spoofing using the full range of Unicode characters; however, showing Punycode isn't very user-friendly," says IE developer Vishu Gupta. "We do not describe “other language” URLs as 'suspicious' because such URLs are completely harmless when displayed in Punycode form."

If IE7 does display a domain name in Punycode form rather than localized, an information bar will appear to notify the user. From the bar, a user can choose to add the language to their list of allowed scripts.

"Users who allow Greek in their language-settings are as susceptible to Greek-only spoofs as the population using English is susceptible to pure-ASCII based spoofs," added Gupta.

Beta 2 of IE7, due early next year, will include the IDN changes.

For those not interested in visiting international domain names and wanting to avoid any risk, Microsoft has added an "International" section to the Internet Control Panel that contains an option to disable the feature entirely and revert back to IE6 behavior.

21 Responses to IE7 to Support International Domains

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.