Greg Hewgill (ghewgill) wrote,
Greg Hewgill
ghewgill

site identity and phishing

Netcraft is reporting that the next version of Firefox will turn off support for IDN by default. This support allows web sites to register their names with characters from the full Unicode character set, allowing names from any written language.

This support is being disabled in the name of the fight against phishing. It is possible to register a domain name that appears on the screen exactly like another domain name, but really has different character values. For example, http://pаypal.com looks exactly like http://paypal.com but uses the Unicode character U+0430 (Cyrillic Small Letter A) instead of the usual U+0061 (Latin Small Letter A). This different may or may not be apparent in your browser, and you may or may not be able to click on the first link.

The real problem here is that the process of verifying that a link really goes to where it claims to go, is expected to be performed by the end user's visual inspection of the link as displayed by the browser. The massive proliferation of phishing scams shows that end users will click on just about anything. The average end user cannot be expected to accurately discern whether a domain name is spelled correctly before clicking.

Since computers are so good at comparing data, site identity should be verified by the browser when requested by the user. For the user who doesn't look before clicking, there isn't much that can be done without impacting the normal browsing process. But for the user who today is expected to manually verify that the site name appears correctly in the status bar, we can do better. It's likely that every site that is subject to phishing attacks has an SSL certificate, so the browser should offer an easy method (perhaps a "Verify Link" option on the right-click menu) to make an SSL connection to the site in question and present the details to the user for inspection. The organizations charged with issuing SSL certificates have an obligation to ensure that they are not supporting the spoofing problem, ie. I hope they would not issue a certificate to a "M1crosoft Corporation".

There is indication that this feature will be restored sometime in the future. However, right now it's a reactionary response to the desire for a technical solution to the phishing problem. We can do better without disabling important browser features.
Tags: rant, web
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 3 comments