Mozilla to Disable IDN Support

Today, Netcraft pointed out that Firefox is to disable IDN Support in upcoming versions. Although I can see Mozilla's stance on this issue, I think it's a bit of a grey area.

For those of you that haven't heard much about it, IDN is the Internationalized Domain Names released for testing late 2000 by our good Internet buddies, VeriSign. This is a set of enhancements to the current DNS system to allow the use of alternate character sets such as Chinese and Japanese for Internet domains.

The idea is a good one, however the security ramifications are quite severe, as The Shmoo Group pointed out. The general idea is that different character sets have characters which look similar (if not the same) but are (computationally) very distinct.

So, why am I ambivalent towards Mozilla disabling this by default? Sure, not many people are likely to use the technology currently, so the impact for legitimate use will be minimal. My problem lies in the fact that it is not the Mozilla Team's responsibility to be fixing a broken and insecure specification (or working draft - or whatever it's current status is).

Although ICANN has issued a set of guidelines for the use of IDN, similarly to SSL CAs, many Registrars don't bother to adhere to them and prevent these homograph attacks. This aside, I believe that there are some fairly simple (basic) changes which would make the system much more resilient to Phishing attacks and the such.

Firstly, allow only the minimum required extended (unique) characters.

Every developer knows to sanitize their user input, and this is even more crucial for core technologies such as DNS. This is as simple as ensuring that characters are restricted in which TLD they are permitted in. For example, Japanese script characters should only be allowed in .jp domains. In the case of TLDs such as .us, .au and .uk, which have been running fine for the past 20+ years with no extended characters, there is no need for these extended characters.

Beside the security perspective, most users in these regions are not likely to be able to enter the extended characters easily anyway. Last time I checked, saying "www dot Alt+0228 la dot com dot au" was a bit confusing - bad marketing decision there!

In cases where there is a requirement for extended characters in the language (but is not currently possible - such as French, Russian, and the such), then only the unique characters in the extended set should be allowed, from this regions set only. For example, although � would be allowed in the French set, it would probably not be allowed in the Japanese set.

With these small changes, IDN would be usable, yet restrictive enough to protect users and businesses. In it's current state, Mozilla's stance is understandable - but I severely hope it will only be a temporary measure until IDN is fixed. Disabling IDN is a band-aid on the proverbial arterial wound that is IDN.