Date: 2005-02-16 00:53:00
Tags: rant, web
site identity and phishing
Netcraft is reporting that the next version of Firefox will turn off support for IDN by default. This support allows web sites to register their names with characters from the full Unicode character set, allowing names from any written language.

This support is being disabled in the name of the fight against phishing. It is possible to register a domain name that appears on the screen exactly like another domain name, but really has different character values. For example, http://pа looks exactly like but uses the Unicode character U+0430 (Cyrillic Small Letter A) instead of the usual U+0061 (Latin Small Letter A). This different may or may not be apparent in your browser, and you may or may not be able to click on the first link.

The real problem here is that the process of verifying that a link really goes to where it claims to go, is expected to be performed by the end user's visual inspection of the link as displayed by the browser. The massive proliferation of phishing scams shows that end users will click on just about anything. The average end user cannot be expected to accurately discern whether a domain name is spelled correctly before clicking.

Since computers are so good at comparing data, site identity should be verified by the browser when requested by the user. For the user who doesn't look before clicking, there isn't much that can be done without impacting the normal browsing process. But for the user who today is expected to manually verify that the site name appears correctly in the status bar, we can do better. It's likely that every site that is subject to phishing attacks has an SSL certificate, so the browser should offer an easy method (perhaps a "Verify Link" option on the right-click menu) to make an SSL connection to the site in question and present the details to the user for inspection. The organizations charged with issuing SSL certificates have an obligation to ensure that they are not supporting the spoofing problem, ie. I hope they would not issue a certificate to a "M1crosoft Corporation".

There is indication that this feature will be restored sometime in the future. However, right now it's a reactionary response to the desire for a technical solution to the phishing problem. We can do better without disabling important browser features.
Note the comments in that bugzilla [info] posted in IRC about how there is a major problem with today's trust infrastructure, and that is that you really don't have any way to trust the root CA's. In any case, if you rely on what's encoded into an SSL certificate, you're hoping that the CA who issued that certificate didn't screw something up, or worse, is corrupt.
True, the CA situation is not perfect, but it's a heck of a lot better than relying on the user to visually match the site name with what they expect to see.
The SpoofStick plugin will let you know the real domain you're connecting to, as well as notify you when the URL contains funky characters.
Greg Hewgill <>