|
Understanding Internationalized Domain Names
You may have been exposed to internationalized domain names (IDNs)
without realizing it. While they typically do not affect your browsing
activity, IDNs may give attackers an opportunity to redirect you to a
malicious web page.
|
What are internationalized domain names?
To decrease the amount of confusion surrounding different languages,
there is a standard for domain names within web browsers. Domain names
are included in the URL (or web address) of web site. This standard is
based on the Roman alphabet (which is used by the English language),
and computers convert the various letters into numerical
equivalents. This code is known as ASCII (American Standard Code for
Information Interchange). However, other languages include characters
that do not translate into this code, which is why internationalized
domain names were introduced.
To compensate for languages that incorporate special characters (such
as Spanish, French or German) or rely completely on character
representation (such as Asian or Arabic languages), a new system had
to be developed. In this new system, the base URL (which is usually
the address for the home page) is dissected and converted into a
format that is compatible with ASCII. The resulting URL (which
contains the string "xn--" as well as a combination of letters and
numbers) will appear in your browser's status bar. In newer versions
of many browsers, it will also appear in the address bar.
What are some security concerns?
Attackers may be able to take advantage of internationalized domain
names to initiate phishing attacks (see Avoiding Social
Engineering and Phishing Attacks for more information). Because
there are certain characters that may appear to be the same but have
different ASCII codes (for example, the Cyrillic "a" and the Latin
"a"), an attacker may be able to "spoof" a web page URL. Instead of
going to a legitimate site, you may be directed to a malicious site,
which could look identical to the real one. If you submit personal or
financial information while on the malicious site, the attacker could
collect that information and then use and/or sell it.
How can you protect yourself?
- Type a URL instead of following a link - Typing a URL into
a browser rather than clicking a link within a web page or email
message will minimize your risk. By doing this, you are more likely to
visit the legitimate site rather than a malicious site that
substitutes similar-looking characters.
- Keep your browser up to date - Older versions of
browsers made it easier for attackers to spoof URLs, but most newer
browsers incorporate certain protections. Instead of displaying the
URL that you "think" you are visiting, most browsers now display the
converted URL with the "xn--" string.
- Check your browser's status bar - If you move your mouse
over a link on a web page, the status bar of your browser will usually
display the URL that the link references. If you see a URL that has an
unexpected domain name (such as one with the "xn--" string mentioned
above), you have likely encountered an internationalized domain
name. If you were not expecting an internationalized domain name or
know that the legitimate site should not need one, you may want to
reconsider visiting the site. Browsers such as Mozilla and Firefox
include an option in their security settings about whether to allow
the status bar text to be modified. To prevent attackers from taking
advantage of JavaScript to make it appear that you are on a legitimate
site, you may want to make sure this option is not enabled.
Authors: Mindi McDowell, Will Dormann, Jason McCormick
Produced 2005 by US-CERT, a government organization. Terms of use
|
|
|
Last
updated
August 6, 2008
|
|