Encoding Addresses to Prevent IDN Spoofing
I
mentioned earlier that phishers often resort to IDN spoofing to fool
users into thinking an address is legitimate. For example, instead of
the address ebay.com,
a phisher might use εbáy.com (with the Greek letters ε (epsilon) and α
(alphá) in place of e and a). Almost all the world’s characters have a
Unicode value, but Internet Explorer is usually set up to recognize
only a single language (such as English). If it comes across a
character it doesn’t recognize, it works around the problem by
converting all Unicode values into an equivalent value that uses only
the ASCII characters supported by the domain name system.
This conversion uses a standard called Punycode.
If the domain name uses only ASCII characters, the Punycode value and
the Unicode value are the same. For a domain such as εbáy.com, the
Punycode equivalent is xn--by--c9b0.com.
(The xn--prefix always appears; it tells you that the domain name is
encoded.) Internet Explorer encodes the domain to this Punycode value
and then surfs to the site. For example, in Figure 3, you can see that I entered http://εbáy.com in the address bar, but Internet Explorer shows the Punycode value http://xn--by--mia42m.com
in the status bar. If you were able to successfully surf to this site
(it doesn’t exist, of course), you’d also see the Punycode domain in
the address bar. (Internet Explorer also displays a message in the
information bar telling you that the address contains characters it
doesn’t recognize.) In other words, an IDN spoofing site is less likely
to fool users because the URL that appears in the status bar and the
address no longer looks similar to the URL of the legitimate site.
Note
that Internet Explorer doesn’t always display Punycode. There are
actually three instances where you see Punycode instead of Unicode:
The
address contains characters that don’t appear in any of the languages
you’ve added to Internet Explorer. (To add a language, select Tools,
Internet Options, click Languages in the General tab, and then click
Add.)
The address
contains characters from two or more different languages (for example,
it contains a Greek character and an Arabic character).
The address contains one or more characters that don’t exist in any language.
With
Internet Explorer 8, IDN spoofs can work in only a single language, and
will work only if the user has added that single language to Internet
Explorer.
Internet
Explorer comes with a few options that enable you to control aspects of
this encoding process and related features. Select Tools, Internet
Options, click the Advanced tab, and scroll down the International
section, which contains the following check boxes. (You need to restart
Internet Explorer if you change any of these settings.)
Always Show Encoded Addresses—
Activate this check box to tell Internet Explorer to display the
encoded Punycode web addresses in the status bar and address bar. If
you’re not worrying about IDN spoofing, you can deactivate this check
box to see the Unicode characters instead.
Send IDN Server Names—
When activated, this check box tells Internet Explorer to encode
addresses into Punycode before sending them for domain resolution.
Send IDN Server Names for Intranet Addresses—
When activated, this check box tells Internet Explorer to encode
intranet addresses into Punycode before sending them for resolution.
Some intranet sites don’t support Punycode, so this setting is off by
default.
Send UTF-8 URLs—
When activated, this check box tells Internet Explorer to send web page
addresses using the UTF-8 standard, which is readable in any language.
If you’re having trouble accessing a page that uses non-English
characters in the URL, the server might not be able to handle UTF-8, so
deactivate this check box.
Show Information Bar for Encoded Addresses—
When activated, this check box tells Internet Explorer to display the
following information bar message when it encodes an address into
Punycode: This Web address contains letters or symbols that cannot be displayed with the current language settings.
Use UTF-8 for Mailto Links— When activated, this check box tells Internet Explorer to use UTF-8 for the addresses in mailto links.