Internet Pro Radio | icann.Blog :: "Homographic Spoofing" and IDNs

Bret Fausett's Other Weblog:

Pray For Rain

Previous:	BulkRegister Launches Private Whois Registrations
Next:	Now Children, Please Stop This...

"Homographic Spoofing" and IDNs

by Bret Fausett at 08:48PM (PST) on February 14, 2005 | Permanent Link | Cosmos | Digg This

This is interesting. The Mozilla Foundation announced today that "In the forthcoming Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be disabled." And Ross Rader from Tucows wrote: "Tucows has been selling IDNs since the initial NSI test-bed was announced. It was a bad idea then and I'd be much happier now if we hadn't jumped in as quickly as we did."
Serious stuff. I now want to read more -- a lot more -- about "homographic spoofing." Links welcome. Any solutions?

Add: Paul Hoffman on "IDN Spoofing Solutions with Balance". Paul writes "Given the assumption that billions of people would actually like to have their domain names be in characters that they use every day, there has to be better solutions to the homograph spoofing problem. Fortunately, there are...." More here.

Reading:

"The State of Homograph Attacks" (schmoo.com)
with an Example of the Spoofing Attack
"IDN Spoofing Security Advisory" (secunia.com)
"Briefing Paper on IDN Permissible Code Point Problems" (icann.org)
"Multiple web browser homographic address spoofing vulnerability" (uniras.gov.uk)
"IDN Spoofing Solutions with Balance" (lookit.proper.com)
"IESG Statement on IDNs" (ietf.org)

Posted to:

Main Page

ICANN