A security risk in International Domain Name [IDN] support was announced at Shmoocon this past weekend. The attack works on most browsers other than Microsoft IE (which doesn’t support IDN unless a plugin has been installed).

The Shmoo Group has a proof of concept page up demonstrating how a browser can appear to load paypal.com. The exploit works for both normal and SSL enabled sites.

The fix for Firefox is straight forward:

1. Navigate to about:config in Firefox (enter it in the address bar).
2. Enter network.enableIDN in the filter bar.
3. Double click the entry for network.enableIDN if it’s value is currently true. It should be bold when false/disabled.

Once IDN is disabled, the proof of concept will fail with an error that the site can’t be loaded.

[update 2005-02-15 - This fix is not 100% reliable, see my later post.]