« Dave Allen dies
Not at SxSW »

Fixing the IDN problem in Mozilla

Most people will have come across the IDN vulnerability in Mozilla and other browsers, where www.pаypal.com was registered, with the first “a” actually being a Unicode character, а, that looks like an “a“.
I think Mozilla should fix this by displaying non-ASCII characters in the Location bar in red. So http://www.pаypal.com/ would actually look like http://www.pаypal.com/. This isn’t unfair to non-ASCII users, since their URLs won’t look weird; an entirely Russian URL would be entirely in red, and therefore wouldn’t stand out.

This entry was posted on Sunday, March 13th, 2005 at 12:00 pm and is filed under Musings, Software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Fixing the IDN problem in Mozilla”

  1. Second thought: an IDN will, in general, be entirely composed of non-ASCII characters. Yes, yes, I know that it’s entirely possible that Valve will register HλLF-LIFE.com or similar, but I think that it’s reasonable to say: if you’re visiting an IDN with a mix of ASCII and non-ASCII characters, pop up an alert. Something like the “you are about to log into site N with username X” alert you get with username:password@domain URLs.

    sil
    9 hours later

  2. Unfortunately there are IDNs consisting entirely of non-ASCII characters that are still phishing attacks (because there are correspondences outside ASCII).

    Also, even simple names like http://www.thérèse.me.uk fail your test…

    Senji
    10 hours later

  3. Also, something is buggered up there….

    “Also, even simple names like http://www.thérèse.me.uk fail your test…” is what I see having posted that….

    Senji
    10 hours later

  4. Gah!

    Senji
    10 hours later

  5. Senji: hm. So, I am not right, then. Sadly, it worked when I did it, so I don’t know what I’m doing wrong…

    sil
    20 hours later

  6. I suggested this last month as a solution. Obviously not enough important people read my blog :(

    mrben
    21 hours later

  7. mrben: The reason I preferred my solution to yours is that yours just says “something is weird about this URL” without telling you what the weird thing is…

    sil
    22 hours later

  8. Hmm, and as a result of the bogosity that’s ended up in my comment your page contains some invalid UTF-8. Hmm…

    In the first comment you appear to have gained an 0xC2 in the middle of both multi-byte characters, in the second one it’s even more complicated.

    Senji
    4 days later

Leave a Reply

OpenID is a decentralised authentication system. If you use LiveJournal or Vox you already have an OpenID; just use the URL of your homepage there. See also how to get yourself an OpenID.