Home / Blogs

Mozilla Implements TLD Whitelist for Firefox in Response to IDN Homographs Spoofing

Mozilla Foundation has announced changes to Firefox concerning Internationalized Domain Names (IDN) to deal with homograph spoofing attacks. According to the organization, “Mozilla Foundation products now only display IDNs in a whitelist of TLDs, which have policies stating what characters are permitted, and procedures for making sure that no homographic domains are registered to two different entities.”

Following is a statement explaining the current status of the Mozilla changes to Firefox regarding IDN:

“We have implemented a TLD whitelist system, which currently contains 21 TLDs for which we correctly display IDN domain names in the UI. Any IDN domain name in a non-whitelisted TLD displays as punycode. This is a security feature and so there is no user interface for adding or removing TLDs.

Any registry which wishes to be added to the whitelist should follow the instructions on that page. In terms of what constitutes a homograph, we are being guided by the Unicode Consortium’s confusables list and by common sense. Our policy in this area is still somewhat in flux -  in particular, we are not yet sure whether we should require that registries consider two characters which differ only in accent (sometimes by the shade of a single pixel at normal font sizes) as homographic. In the mean time, we strongly advise that registries do this.

We have implemented a character blacklist, which will soon contain ‘DIVISION SLASH’ (U+2215) and ‘FRACTION SLASH’ (U+2044). After that, we may extend it to forbid more characters which may be used to spoof URL punctuation. This is not meant to prejudice the outcome of the current IAB-IDN discussions on potentially reducing the number of characters permitted in IDN, but we feel the danger posed by the use of such characters in 3rd and 4th level domains is great enough to require an immediate ban. Any domain name which contains one or more of these characters displays as punycode.”

As a temporary response, Mozilla Foundation first considered disabling IDN support but later reconsidered and decided instead to display IDNs in Punycode, an ASCII representation of Unicode.

By CircleID Reporter

CircleID’s internal staff reporting on news tips and developing stories. Do you have information the professional Internet community should be aware of? Contact us.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Nathan Braun  –  Jan 23, 2006 7:55 PM

Why doesn’t Mozilla make a Firefox extension to browse non-ICANN TLDs?

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

IPv4 Markets

Sponsored byIPv4.Global