07 Feb 2005
Domain Names: The ‘Evil Twin’ Episode
Adding full International Domain Name (IDN) support to the web is long overdue (it’s supposed to be the World Wide Web, right?), but years ago a major problem in the scheme was pointed out.
Within the vast array of characters used by the world’s languages are numerous lookalikes, different characters which appear the same on-screen. Obviously this could lead to confusion when viewing/typing certain URLs, but the far more serious site spoofing threat has been re-emphasised and demonstrated. ‘а’ looks the same as ‘a’ but the browser currently has no way of knowing that, so sites can be flawlessly impersonated (complete with valid SSL certificates).
What’s irritating is that we’ve known about this all along, yet people have merrily continued regardless. IDN shouldn’t have been introduced without measures at the browser and domain registrar levels such as comprehensive look-up tables for lookalike characters.
Moral of the Story: if you’re designing or implementing a system you have to be able to approach it like a scammer/spammer/phisher/cracker and ferret out the malicious money-making opportunities. Think Evil™.
Technical Term of the Day: Punycode