Firefox, Mozilla To Turn Off IDN

The next versions of Firefox and Mozilla will disable IDN support as a short-term answer to a spoofing vulnerability, the development team at open-source Mozilla Foundation said Tuesday.

The flaw, first disclosed last week, affects nearly every browser except Internet Explorer because of a flaw in handling International Domain Names (IDN). Hackers can register domain names with certain international characters that resemble other commonly used characters to spoof the address and trick the user into thinking he's at a legitimate site and/or it's secured by SSL. (IE isn't vulnerable because unlike most browsers, it doesn't support IDN by default; instead it requires a third-party plug-in to display international characters in the address bar.)

"This is a registrar/registry problem," wrote Mozilla developer Gervase Markham on his blog. "These issues were known when IDN was proposed, and the DNS registration organizations need to step up and implement them."

As a short-term solution, Firefox 1.0.1, Mozilla 1.7.6, and Mozilla 1.8 beta will have IDN disabled. All three are scheduled to release in the next week or two, said Markham.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," said Mozilla in a separate statement.