Mozilla Drops IDN Support Due to Flaw

Mozilla developers are closing the door on phishing schemes that exploit a widely reported flaw in the Internationalized Domain Names (IDN) specification. Upcoming builds of Firefox 1.0.1, Mozilla 1.7.6 and Mozilla 1.8 beta will have IDN disabled as a temporary corrective measure to protect users from identity theft.

IDN is presently enabled by default in Firefox, Mozilla, Opera, and Apple's Safari Web browsers. Microsoft's Internet Explorer does not have native IDN support and therefore is not affected by the problem.

The flaw permits malicious users to "spoof" legitimate Web pages by taking advantage of how some Web browsers handle the Unicode unified character set utilized by IDN. A specially crafted link can mimic a trusted URL in a browser's address bar, SSL certificate and status bar, but take the user to another location.

Unicode is the globally recognized replacement for the US English only ASCII standard.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," read a statement issued by a Mozilla spokesperson. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

The Mozilla team is brainstorming long term solutions, which include a mixture of warning bars, icons and tooltips.

In a follow up statement, developers said that they did not want to, "have the disadvantage of discriminating against IDN as a class of domains," and stressed that they did not intend to be "Anglocentric" by restricting character sets.