Multiple Browsers URL Spoofing Security Issue

This recently publicised problem with almost all browsers (except IE) occurs when “domain names with certain international characters” look like common domain names. It’s not a new issue however, being a well known problem for several years.
You can test your own browser by following this link – does the url say
For Firefox users there’s Spoof Stick which “prominently displays only the most relevant domain information”. It’s not foolproof though, and Secunia recommends that users:

Don’t follow links from untrusted sources.
Manually type the URL in the address bar.

Later… Richard Eibrand has the scoop in an ILUG post. Here’s how to disable this feature in Firefox:

  • Visit about:config
  • Search for “idn” in the search box.
  • By default it’ll be “true”, but double click on it to set it to false.
  • You don’t need to restart your browser, just go to the test page to see if it works. It did for me!

As a side note, Fuzzbucket says that IDN isn’t used much so it might be worth while having it disabled by default!
Later Still… That’s only a temporary fix as it’s reset the next time you restart Firefox. Here’s a more permanent fix using an extension that warns of IDN characters – Japanese and other sites that use those characters will still work!

By Donncha

Donncha Ó Caoimh is a software developer at Automattic and WordPress plugin developer. He posts photos at In Photos and can also be found on Twitter.

Leave a Reply