Domain Names: The ‘Evil Twin’ Episode

Adding full International Domain Name (IDN) support to the web is long overdue (it’s supposed to be the World Wide Web, right?), but years ago a major problem in the scheme was pointed out.

Within the vast array of characters used by the world’s languages are numerous lookalikes, different characters which appear the same on-screen. Obviously this could lead to confusion when viewing/typing certain URLs, but the far more serious site spoofing threat has been re-emphasised and demonstrated. ‘а’ looks the same as ‘a’ but the browser currently has no way of knowing that, so sites can be flawlessly impersonated (complete with valid SSL certificates).

What’s irritating is that we’ve known about this all along, yet people have merrily continued regardless. IDN shouldn’t have been introduced without measures at the browser and domain registrar levels such as comprehensive look-up tables for lookalike characters.

(more information)

Moral of the Story: if you’re designing or implementing a system you have to be able to approach it like a scammer/spammer/phisher/cracker and ferret out the malicious money-making opportunities. Think Evil™.

Technical Term of the Day: Punycode

Mon 7th Feb 2005, 9:09pm GMT (updated Tue 8th Feb 2005, 9:55pm GMT)

Filed under: Rants and Grumbles, Security and Privacy, Web

---

Comments

Comments are now closed for this entry.