Apple Blocks IDN Spoofing in Safari
Following in the footsteps of Mozilla and Opera, Apple has issued its monthly Mac OS X security update with a fix for the spoofing vulnerability caused by Internationalized Domain Names (IDN). Apple's Safari Web browser will now only display URL characters from an approved list, which can be customized by the user.
The problem with IDN -- uncovered in early February -- stems from its use of the Unicode character set to enable domain names that include international letters. Unicode URLs must be converted by a Web browser into a format called "Punycode," which opens the door for a malicious Web site to mimic a trusted URL, including its SSL security certificate.
Like Opera, Safari will now display URLs with non-approved characters in their native Punycode form in order to lessen the risk of spoofing. Apple, however, has not followed Opera's example of providing more details about the origin of SSL certificates.
According to Apple, "The default list does not include Latin lookalike scripts (Cherokee, Cyrillic, and Greek) that could be used to trick users into navigating to malicious sites. You can edit the list of allowed scripts to specify exactly what scripts you want displayed."
Mozilla Firefox was updated last month to block the display of any IDN URLs by default. For those using URLs with international characters, the feature can be re-enabled. Microsoft's Internet Explorer is the only Web browser not affected by the problem, as it was never updated to support the IDN specification.
Opera, meanwhile, has called on the industry to band together in developing a long-term solution to the issues surrounding IDN.
"Opera stands behind its statement made to BetaNews on Feb. 18, 2005, asserting that the IDN problem is not one that can be solved alone, but rather together with other browser vendors, domain name registries, certificate authorities and other members of the Internet community," the company said last month.
Mac OS X users can download the March security fix via Software Update.