You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-29

Mozilla Foundation Security Advisory 2005-29

Title: Internationalized Domain Name (IDN) homograph spoofing
Severity: High
Risk: Moderate
Reporter: Eric Johanson
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
  Mozilla Suite 1.7.6

Description

Internationalized Domain Names (IDN) allow non-English speakers to use domains in their local language. Because many supported characters are similar to other (if not identical in some fonts) there is the possibility this could be used to construct perfect, indistinguishable phishing sites.

As a temporary measure the Mozilla Foundation has decided to turn off IDN and instead will display such domains in their raw "punycode" form. IDN will be re-enabled when the domain registries, standards bodies, and browser vendors can agree on a plan to prevent the use of IDN domains in phishing scams.

Workaround

Upgrade to a fixed version.

References