TriNetre - Archive for February 07, 2005

(no longer updated)

It has been shown that one can turn the support for International Domain Name (IDN) into a dangerous phishing tool. Shmoo Group's demo page shows how. The explanation is given in the official advisory:

The links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as www.xn--pypal-4ve.com.
This is one example URL - - there are now many ways to display any domain name on a browser, as there are a huge number of codepages/scripts which look very similar to latin charsets.

Boing Boing lays out a temporary workaround by disabling support for IDNs.

[Update]: Hmm, it looks like the workaround does not work as well as expected because Firefox seems to re-enable IDN support after a restart even if about.enableIDN is still set to flase!

[Update 2] Firefox nightly buid has disabled IDN support by default. CACert has decided "not to issue certificates for any domains that contain punycode c(h)aracters".