IDN domain spoofing: a much better answer

Last week, we had a number of posts about the "IDN spoof" vulnerability in which wily hackers could use "homologues" — foreign-alphabet letters that look like latin equivalents — to spoof domains and certificates like "paypal.com" by replacing one or more letters with lookalikes.

The solutions proposed were all pretty blunt: turning off international alphabet support in browsers, or warning users when non-ASCII chars showed up in domains. There is nothing inherently suspicious about domains that are in foreign alphabets and it would suck if browsers behaved as if there was. Some people even favored ordering Verisign to discriminate among people who try to buy certificates if they were for domains that were "too similar" to "famous" domains — don't get me started! Who the hell would trust the ham-fisted thugs at Verisign to administer a blacklist of domains that aren't allowed to have certificates? Ugh, "I'm sorry sir, your application for a certificate for amazonriver.com has been turned down, as it is possible that it would be confused with amazon.com."

Paul Hoffman, who co-wrote the IDN standard, has an excellent post where he proposes a much more moderate and effective set of solutions:

Given that the problem is that domain names with more than one script can cause homograph confusion, the solution should highlight names that have more than one script and say what script the characters come from. This can be done with a hover-over pop-up that looks something like:

Note that the pop-up is not a warning, it is informative. There are zillions of valid names that have two scripts in them; there are many, particularly in Japan, that will have three scripts.

The difficult question is how to show the pop-up in a way that alerts about spoofing but doesn't get in the way of normal IDNs. One easy way to put an icon to the left of the "favicon" in the address bar…

Link

(Thanks, Paul!)