Greg Hewgill (ghewgill) wrote,
Greg Hewgill

site identity and phishing

Netcraft is reporting that the next version of Firefox will turn off support for IDN by default. This support allows web sites to register their names with characters from the full Unicode character set, allowing names from any written language.

This support is being disabled in the name of the fight against phishing. It is possible to register a domain name that appears on the screen exactly like another domain name, but really has different character values. For example, http://pа looks exactly like but uses the Unicode character U+0430 (Cyrillic Small Letter A) instead of the usual U+0061 (Latin Small Letter A). This different may or may not be apparent in your browser, and you may or may not be able to click on the first link.

The real problem here is that the process of verifying that a link really goes to where it claims to go, is expected to be performed by the end user's visual inspection of the link as displayed by the browser. The massive proliferation of phishing scams shows that end users will click on just about anything. The average end user cannot be expected to accurately discern whether a domain name is spelled correctly before clicking.

Since computers are so good at comparing data, site identity should be verified by the browser when requested by the user. For the user who doesn't look before clicking, there isn't much that can be done without impacting the normal browsing process. But for the user who today is expected to manually verify that the site name appears correctly in the status bar, we can do better. It's likely that every site that is subject to phishing attacks has an SSL certificate, so the browser should offer an easy method (perhaps a "Verify Link" option on the right-click menu) to make an SSL connection to the site in question and present the details to the user for inspection. The organizations charged with issuing SSL certificates have an obligation to ensure that they are not supporting the spoofing problem, ie. I hope they would not issue a certificate to a "M1crosoft Corporation".

There is indication that this feature will be restored sometime in the future. However, right now it's a reactionary response to the desire for a technical solution to the phishing problem. We can do better without disabling important browser features.
Tags: rant, web

  • 2013 in review

    2013 is the year when everything changed. The biggest event was the birth of our daughter Lily. She was born prematurely in Shanghai while we…

  • 2012 in review

    2012 has been fairly quiet. Maybe it just seems that way because I haven't actually written anything new in this blog since last year's annual…

  • new photo galleries

    I've been busy processing photo galleries from the last year (or two) and putting them online for your perusal. Vancouver 2010 Northland…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded