Opera Fixes IDN Spoofing in Opera 8.0 Beta 2

Opera Watch writes "Opera has introduced a fix for the IDN spoofing security vulnerability in its latest beta version. The new version, Opera 8.0 beta 2, was released today on its FTP directory. No official announcement from Opera yet. Opera has created a white list for safe top-level domain names which include .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch, and .li. Sites not in the white list will show the encoded domain (with the IDN characters) in the URL field. The list is updated automatically when Opera checks for a new version."

Re:Why a whitelist?

[Ahnteis]

I think they're guessing the ".cn" on the end would be enough to tip off the wary user.

Re:Why a whitelist?

[crow]

The list is based on the URL that you're visiting, not the country you're browsing from.

But your point is valid. Many businesses set up contry-specific websites (e.g., amazon.co.uk), so those sites will be vulnerable to this spoofing for Opera users using local sites in those countries.

Re:Why a whitelist?

[Noksagt]

Except that uk & other country-specific sites that are most likely using Latin1 rather than UTF-8 will probably not be whitelisted.

I agree that a whitelist is only a work-around, but if you only whitelist the countries who would be more likely to use UTF-8 for real sites with their own characterset (rather than to spoof other sites), it isn't too bad to use right now.

Re:Why a whitelist?

[dolphinling]

No. Unlike Verisign, the .cn registrars are responsible and don't allow domain look-alikes.

discussion @ opera.com

[Arctic Dragon]

It's been 'unofficially' announced in the Opera Forums [opera.com]

Need a standardised solution.

[Aspirator]

We need an internationally agreed solution to this. ICANN are understandably upset at the slight that has occured to a large part of the world. Mozilla's browser couldn't reliably turn IDN off, that was fixed, but now it's off by default. The more officially proposed solutions are mostly registrar based, I don't think that's OK. Opera now has a fix of it's own. IE hadn't even got round to implementing IDN. The problem has been known about for ages, but only recently taken seriously. It certainly is se

Why is this so hard to fix?

[curunir]

It seems like you could pretty easily compile a mapping of foreign characters to the ASCII characters they could impersonate. Then, when a foreign url is entered, it could first be looked up with the ASCII replacements to see if a site exists. If it does, that site would be returned instead. If not, the internationalized URL would then be loaded. Results could be cached by the browser so that this check would only be needed the first time the site was loaded.

This way http://www.mïçrõft.c

Because...

[brunes69]

Because some people in the world know more languages than English (yes, I know it is hard to believe!) and they want their domain that they legitimately purchased to work properly, even if some characters in it it happen to look simmilar to some other English letter.

Re:Because...

[curunir]

No, I believe it...I speak 4 myself. But I still don't see any issue with checking ASCII domains first. Your internationalized domain would still work fine so long as you didn't register a domain that looks similar enough to confuse with an existing all-ASCII domain. If you did, that's tough.

Trademarks exist for a reason...to prevent confusion for consumers. You are from Canada, so answer me this: would the Canadian government grant two trademarks that were otherwise identical except for one had a '

Re:Because...

[hkmwbz]

"I still don't see any issue with checking ASCII domains first."

And your first language is English?

Whitelists ignrore third-level domains.

[molo]

The problem with whitelisting TLDs is that this ignores problems with bogus third-level domains/hosts. The listed registrars prevent registering look-alike domains, but no one controls look alike third-level domains.

For example, ωωω.paypal.jp (using greek omega). This can be combined with a DNS cache attack.

-molo

Re:Whitelists ignrore third-level domains.

[Anonymous Coward]

I don't understand your point. To do that, you need to be in control of paypal.jp already, in which case why bother with spoofing?

If you're talking about making misleading third level domains under your own domain name, there's also no need to spoof anything. It's already possible to set up paypal.mydomain.com without having to resort to obscure character sets.

Re:Whitelists ignrore third-level domains.

[molo]

No, you can do a DNS cache poisoning attack. It is pretty hard to DNS cache poison a address like www.paypal.com because it is already in the cache of most DNS servers (because of the site's popularity). But, there is nothing stopping you from cache poisoning a hostname that no one has tried to connect to yet.

Say for example I'm a phisher and am trying this attack. I send my phishing spam to all of the earthlink.net accounts I have, using the IDN url. At the same time, I start a DNS cache poisoning atta