Skip to content

Latest blog posts

Latest post: 2007-01-14

  1. The Popsicle You Found There
  2. Irontown
  3. The Hissing Snake
  4. Why it took so long for me to fix
  5. Where on Earth did I go?
  6. She's Always A Woman (spoof)
  7. Lunar life and the secrets of the cosmos
  8. :before and :after in IE7 and below

Archives

2005-02-09

Domain Name Spoofing

It's big in the news: it's possible for websites to spoof a domain name in all major browsers except Internet Explorer. Immediately the media points their fingers at Firefox, saying that it apparently isn't as safe as it claims to be. But if they actually knew what they were talking about, they'd realize that it isn't the fault of Firefox at all, but the fault of the official Internet standards.

The problem is due to the fact that, in unicode (the code that determines the textual characters that are displayed on the screen), some letters, such as vowels, exist in more than one reference point. Even though the two characters look identical to humans, to computers they're completely different values. The trick involves creating a domain name with a character that uses a different reference point than the typical version of that character. This is perfectly valid, according to Internet standards, but clearly it creates a problem, because humans can't tell the difference between the two characters. Therefore, you could have paypal.com and pаypal.com, and they look like the same thing, but they're actually completely different places on the Internet.

But why doesn't Internet Explorer have this problem? Well, it seems that Internet Explorer's incompetence actually benefits them in this case. Internet Explorer doesn't have full standards support, and doesn't support all of unicode. The result is that lots of unicode characters can't be displayed correctly on webpages in Internet Explorer. It just so happens that some of the characters that can be used to spoof domain names aren't supported by Internet Explorer. This isn't because Microsoft was aware of a potential problem and is protecting its users, but because they just didn't bother finishing their unicode support.

This problem was not at the fault of the Firefox developers, but the developers of the standards that they have to follow. However, there are still some things that they can do to protect users from this oversight. For one, the browser could store a list of possibly misleading characters (such as alternate versions of the letter a) and provide a warning when the user is about to access a domain name with one of those characters in the name. Because the Firefox developers hold security in high importance, it is likely that they will do something to this effect, and quickly.

Permanent link
Posted by Nanobot
2005-02-09 02:05:00 UTC
0 comments

0 comments

Post new comment

Comment moderation policy: Your comment will be reviewed before it is added to the site. This is in response to spam and other forms of abuse. I gladly accept comments containing criticism as long as the language is clean.

This weblog is powered by Blogger.