A chink in our armor? Jonnie Apple Seed Phishing flaw a danger to alternative browsers Published: February 7, 2005, 1:17 PM PST By Robert Lemos Staff Writer, CNET News.com A security weakness in a standard for handling special character sets in domain names could let an attacker spoof Web sites on non-Microsoft browsers, a researcher has warned. The problem arises because certain browsers support a standardized way of representing domain names in the letters or characters of any language, security expert Eric Johanson said at the ShmooCon hacker convention this weekend. Called Internationalized Domain Names , the standard allows companies to register domain names that appear to be the same in different languages. That encoding scheme could enable an attacker to create a fake Web site for a phishing scam. A spoofed link would seem to be a legitimate URL in the address bar of affected browsers--Opera, Apple Computer's Safari, and the Mozilla and Firefox browsers from the Mozilla Foundation. But instead of taking the victim to the trusted site, the link would lead to a phony Web site with a domain rendered as the same address under the IDN process. The Mozilla Foundation is looking for a long-term solution to the issue, Chris Hofmann, director of engineering at the company, said in a statement. "With the increase in phishing attacks, there is a growing concern that exploits could take advantage of this feature to trick users into visiting rogue sites," Hofmann stated. "Mozilla is looking at options for fixing or disabling this feature and should have more information available very soon." Phishing attacks , which try to fool consumers into handing over sensitive information by creating legitimate-looking Web sites and e-mail messages, have become a central security concern recently. While vulnerabilities in Microsoft's Internet Explorer have been the focus of much of the concern, other browsers also have had their fair share of flaws. The security weakness in the IDN scheme comes as registrars push for support for expressing domain names in different languages and scripts. "There are now many ways to display any domain name on a browser, as there are a huge number of (character sets) which look very similar to Latin (characters)," Johanson said in an advisory . The advisory demonstrates the attack using the domain for PayPal, but using an alternate Unicode character for the first "a." That gives an address that looks like "http://www.pàypal.com,"; but with a smaller "a." Details of the flaw were shown at ShmooCon, a hacking and computer security convention, in Washington D.C., last weekend. The Shmoo Group, a loose association of security professionals that runs the convention, notified the affected browser makers in mid-January. Johanson is a member of the Shmoo Group. Apple, VeriSign and Opera Software could not immediately be reached for comment. Microsoft has not implemented support for IDN yet, so its IE browser is not vulnerable to the flaw. Browser security is gaining attention among software makers. In December, Internet security company Netcraft released an IE plug-in that it said could help people avoid becoming victims of online fraud. In addition, Netscape announced last month that it is getting ready to release a browser designed to resist phishing attacks. ***list info*** This is the accessible web withoutinternet explorer discussion list. to change your subscription options or to unsubscribe, point your favorite browser to: //www.freelists.org/list/webwithout-ie You can view this list's archives and rss feed at: //www.freelists.org/archives/webwithout-ie for unsubscribing, you can also send a message with the word unsubscribe in the subject line leaving the rest of the message blank to: webwithout-ie-request@xxxxxxxxxxxxx and you will need to respond to the confirmation message you recieve in order to be removed from the list. for subscribing or resubscribing you can also send a message with the word subscribe in the subject line leaving the rest of the message blank to: webwithout-ie-request@xxxxxxxxxxxxx and you will need to respond to the confirmation message you recieve in order to be added to the list. To contact list management, write to: webwithout-ie-admins@xxxxxxxxxxxxx ***end of list info***