Mozilla and Firefox Disable IDN Support

MOUNTAIN VIEW, Calif. – The recently uncovered security threat from international domain names that has been demonstrated in vulnerable web browsers such as Opera and Firefox is creating a firestorm of activity among developers seeking to mitigate this exploit.

As previously reported by XBiz, the vulnerability is a variation of the "homograph attack" which targets weaknesses in the methods that certain web browsers interpret Unicode in order to display domain names using non-English characters, carried out in a way that exploits character resemblance. For instance, the number "0" and the letter "O" are similar enough to fool unwary users into believing that a fraudulent site is actually the website the surfer was trying to reach.

In response to this threat, Mozilla's developers have announced their intention to disable default support for Internationalized Domain Names (IDN) in future releases of the Mozilla and Firefox web browsers.

Opera, and the Mac Safari browser will remain vulnerable, however Microsoft's Internet Explorer web browser is unaffected by this exploit.

A simple solution to the vulnerability in Mozilla and Firefox is had by setting "network.enableIDN" to "false" within the browser's configuration panel, accessed by entering "about:config" in the browser's address bar. This will be the new default setting going forward, but users who require IDN support may use the same configuration process to enable it.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," read a statement on mozillaZine. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

"There are now many ways to display any domain name on a browser, as there are a huge number of codepages / scripts which look very similar to Latin charsets," said an advisory from the The Shmoo Group, the organization which first demonstrated the exploit. "[For] a business trying to protect their identity, IDN makes their life very difficult. It is expected there will be many domain name related conflicts related to IDN."