Opera Provides IDN Fix in Updated Beta
As expected, Opera Software has released a second beta of its next Web browser, which includes a solution for the spoofing vulnerability caused by Internationalized Domain Names. The company has taken a slightly different approach than Mozilla's Firefox Web browser, and continues its endeavor for a better long-term fix.
The problem with IDN stems from its use of the Unicode character set to enable domain names that include international letters. Unicode URLs must be converted by a Web browser into a format called "Punycode," which opens the door for a malicious Web site to mimic a trusted URL, including its SSL security certificate.
In response, Opera version 8.0 will now display a small, yellow security bar to show the name of the organization that owns the SSL certificate. Users can click on the bar to display more details about the certificate's validity.
"One of the most important measures to counter phishing attacks is the use of security certificates," says Christen Krogh, Opera's Vice President of Engineering. "The challenge for browser vendors is to better explain the verification of certificates and to make the user more aware of this additional verification before entering into secure transactions."
In addition, domain names localized using the IDN standard will only display for certain top-level domains (TLDs) certified by Opera. Those TLDs with strict policies on the names they allow to be registered can display with international characters, while others are shown in raw Punycode form.
The Mozilla Foundation, meanwhile, has chosen to prevent the display of any IDN URL in its latest Firefox release. Version 1.0.1 of Firefox will, by default, display only Punycode names.
Opera also fulfilled its promise to push for a joint industry effort to solve the IDN issue in the long-term. The company says it has begun to assemble a group to evaluate solutions.
"Opera stands behind its statement made to BetaNews on Feb. 18, 2005, asserting that the IDN problem is not one that can be solved alone, but rather together with other browser vendors, domain name registries, certificate authorities and other members of the Internet community."
Opera 8.0 Beta 2 is available for download via FileForum.