Multiple Browsers URL Spoofing Security Issue

This recently publicised problem with almost all browsers (except IE) occurs when “domain names with certain international characters” look like common domain names. It’s not a new issue however, being a well known problem for several years.
You can test your own browser by following this link – does the url say
For Firefox users there’s Spoof Stick which “prominently displays only the most relevant domain information”. It’s not foolproof though, and Secunia recommends that users:

Don’t follow links from untrusted sources.
Manually type the URL in the address bar.

Later… Richard Eibrand has the scoop in an ILUG post. Here’s how to disable this feature in Firefox:

  • Visit about:config
  • Search for “idn” in the search box.
  • By default it’ll be “true”, but double click on it to set it to false.
  • You don’t need to restart your browser, just go to the test page to see if it works. It did for me!

As a side note, Fuzzbucket says that IDN isn’t used much so it might be worth while having it disabled by default!
Later Still… That’s only a temporary fix as it’s reset the next time you restart Firefox. Here’s a more permanent fix using an extension that warns of IDN characters – Japanese and other sites that use those characters will still work!

Leave a Reply

%d bloggers like this:

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.