News Headlines

The use of Unicode in domain names makes it potentially easier to spoof web sites visited by World Wide Web users as the visual representation of an IDN string in a web browser may appear identical to another, depending on the font used. For example, Unicode character U+0430, Cyrillic small letter a, can look identical to Unicode character U+0061, Latin small letter a, used in English.

In December 2001 Evgeniy Gabrilovich and Alex Gontmakher, both from the TechnionInstitute of Technology in Israel, published a paper titled "The Homograph Attack", which described an attack that used Unicode URLs to spoof a website URL. To prove the feasibility of this kind of attack, the researchers successfully registered a variant of the domain name microsoft.com which incorporated Russian language characters.

These kind of problems were anticipated before IDN was introduced, and guidelines were issued to registries to try to avoid or reduce the problem. For example, it was advised that registries only accept characters from the Latin alphabet and that of their own country, not all of Unicode characters, but this advice was neglected by major TLDs.

On February 7, 2005, Slashdot reported that this exploit was disclosed at the hackerconference Shmoocon. Web browsers supporting IDNA appeared to direct the URL http://www.pаypal.com/, in which the first a character is replaced by a Cyrillic а, to the site of the well known payment site Paypal, but actually led to a spoofed web site with different content.

Starting with version 7, Internet Explorer was capable of using IDNs, but it imposes restrictions on displaying non-ASCII domain names based on a user-defined list of allowed languages and provides an anti-phishing filter that checks suspicious Web sites against a remote database of known phishing sites.

On February 17, 2005, Mozilla developers announced that the next software version still has IDN support enabled, but displaying the Punycode URLs instead, thus thwarting some attacks exploiting similarities between ASCII and non-ASCII characters, while still permitting access to web sites in an IDN domain.

Since then, both Mozilla and Opera have announced that they will be using per-domain whitelists to selectively switch on IDN display for domain run by registries which are taking appropriate homograph spoofing attack precautions. As of September 9, 2005, the most recent version of Mozilla Firefox as well as the most recent Internet Explorer display the spoofed Paypal URL as "http://www.xn--pypal-4ve.com/", clearly different from the original.

Safari's approach is to render problematic character sets as Punycode. This can be changed by altering the settings in Mac OS X's system files.