In the last issue of TidBITS, I wrote about how non-English characters that resemble or are identical to Roman letters could allow scammers to spoof well-known sites by registering domain names that look identical even to the trained eye and then obtaining SSL certificates to make them look secure (see "Don’t Trust Your Eyes or URLs" in TidBITS-766).
Over the past week, there’s been some motion on a few fronts worth reporting.
First, the Mozilla Foundation will disable the internationalized domain names (IDN) support as a default in Firefox 1.0 releases. They hope to develop a more elegant approach for 1.1. They (and others) blame domain registrars for allowing domains that are homographically (written similarly) identical to well-known sites.
<http://news.netcraft.com/archives/2005/02/15/ firefox_to_disable_idn_support_as_ phishing_defense.html>
The article at Netcraft just above explains how to disable support for IDN within Mozilla, Firefox, and other browsers using the open-source "gecko" browser code by typing "about:config" in the Location field and hitting Return. Scroll down to find the setting "network.enableIDN". If this is set to true, double click it to change the setting to false. Close the window.
If you want to leave this setting on, I recommend installing SpoofStick for Firefox, a small browser extension that alerts you to homographic problems and other signs of Web spoofing.
Interestingly, although Firefox and Mozilla share much of the same code, one reader wrote that trying to install SpoofStick in Mozilla made Mozilla crash. Mozilla’s plug-in infrastructure must not support Firefox’s extensions, as far as I understand it. Mozilla users might look into TrustBar, which helps identify spoofed domains, although not quite in the same manner.
Another reader wrote in to mention that her user group advised that she use Saft for Safari, which extends Safari’s built-in features and has added homograph alerts.
Finally, several readers pointed out that they couldn’t get the spoof to work in their various browsers and systems. The reason? They were using systems and browsers – such as iCab under Mac OS 9 – that predate the IDN support via punycode that maps Unicode in this fashion. Older means better in this case.