February 11, 2005
IDN support
All browsers supporting even vaguely modern concepts (so, anything but IE...) these days seem to support IDN. Which I suppose is nice if you want to register a domain name with a biohazard symbol in, or you want to use the vast wealth of characters available outside of ASCII for your domain names, perhaps because your native language uses some other alphabet. Great, sounds really useful, and every credit to the people rushing to support it. Unfortunately, domain name registrars are pretty slack about checking what they let people register, it seems, and the cunning people at Shmoo.com have found a clever trick which would let phishers exploit this.
If this worries you, and you don't generally need to use sites with fancy schmancy unicode characters in their names, consider switching off IDN support in your browser. In firefox, this means going into about:config, filtering by "network", and disabling "network.enableIDN" (thanks to Chris for pointing this out). Unfortunately, this setting won't stick across restarts of firefox, in the stable released builds; according to boingboing the latest builds fix this.
This has been a public service announcement.
[Update: The nice people at Mozilla seem to have found a third way. (via Hacking for Christ)]
Posted by James at 12:07
Tags for this entry: computers
security
You can now subscribe to RSS of comments on this entry or RSS of all comments on this site.
Comments
Unfortunately, the sort of people who will do the config twiddling aren't the sort of people to be foiled by scams anyway. Next you'll be saying that people pay attention to the little padlock, too.
Interweb doomed, film at 11.
Posted by: Dom at February 12, 2005 01:14 AM
To be fair, if the scam was presented in some sane context (not sure what that would be, mind) it might fool me, and I clearly bothered with the config twiddling :-)
I take the general point, though.
Posted by: James at February 12, 2005 04:25 AM