Linked by Thom Holwerda on Thu 2nd Nov 2006 09:56 UTC, submitted by jayson.knight
Internet Explorer Microsoft's latest release of Internet Explorer will drive demand for internationalized domain names, according to industry experts who are predicting a sharp increase in sales of foreign language domain names. That's because IE 7 has built-in support for IDNs, as does Firefox 2.0, also released in October.
Thread beginning with comment 177870
To read all comments associated with this story, please click here.
IDN
by pashar on Thu 2nd Nov 2006 10:39 UTC
pashar
Member since:
2006-07-12

Firefox has it since version 1.0 IIRC. Also, interesting whether IE7 will be vulnerable to IDN-based spoofing.

Reply Score: 1

RE: IDN
by Beta on Thu 2nd Nov 2006 10:50 in reply to "IDN"
Beta Member since:
2005-07-06

Oh, IE (and others) will be. Except now they have patented anti-phishing technology, so if it doesn't warn you about the site, go ahead and trust it ;)

Reply Parent Score: 1

RE: IDN
by n4cer on Thu 2nd Nov 2006 12:12 in reply to "IDN"
n4cer Member since:
2005-07-06

The posts at this link cover IDN support, URI handling, and spoofing mitigations in IE 7 (more IE and general IDN info is available in the MSDN Library and IE Dev Center):

http://blogs.msdn.com/ie/search.aspx?q=idn&p=1

A few excerpts:

Internet Explorer 7 includes a new URL handling architecture known internally as CURI. The new optimized URI functions provide more secure and consistent parsing of URIs to reduce attack surface and mitigate the threat of malicious URIs.

CURI is a lightweight object which holds a single URI in normal form. If the CURI is constructed from a string URI, that string URI is cracked just once when the object is first constructed. After construction, callers may access any of the URI components using members provided by the object. This ensures that URIs are evaluated consistently throughout both security and feature code paths. Weíve re-plumbed Internet Explorer to accept and use CURI objects internally... The CURI object is available for consumption by external callers like ActiveX controls and Browser Helper Objects... Itís worth noting that even external code that does not directly consume CURI objects will benefit from the change, because Unicode string serialized out of CURI objects will be consistently normalized, decreasing the likelihood of incorrect parsing even outside of IE.

-----

IE7 imposes restrictions on the scripts allowed to be displayed inside the address bar. These restrictions are based on the userís configured browser language settings. Using APIs from the aforementioned idndl.dll, IE will detect what scripts (character sets) are used by the current domain name. If the domain name contains characters outside of the userís chosen languages, it is displayed in Punycode form to help prevent spoofing.

---

Users who allow Greek in their language-settings are as susceptible to Greek-only spoofs as the population using English is susceptible to pure-ASCII based spoofs. Thatís where IE7ís Phishing Filter kicks in for both Unicode and ASCII urls. If the user has opted into the Phishing Filter, a real-time check is performed during navigation to see if the target domain name is a reported phishing site. If so, navigation is blocked. For additional defense-in-depth, the Phishing Filterís web service can apply additional heuristics to determine if the domain name is visually ambiguous. If so, the Phishing Filter will warn the user via the indicator in the IE address bar.

---

Whenever viewing a site addressed by an International Domain Name, an indicator will appear in the IE address bar to notify the user that IDN is in use. The user can click on the IDN indicator to view more information about the current domain name.

Reply Parent Score: 2