programming4us
           
 
 
Windows

Windows 7 : Enhancing Your Browsing Security (part 5) - Encoding Addresses to Prevent IDN Spoofing

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019
12/12/2010 3:07:49 PM

Encoding Addresses to Prevent IDN Spoofing

I mentioned earlier that phishers often resort to IDN spoofing to fool users into thinking an address is legitimate. For example, instead of the address ebay.com, a phisher might use εbáy.com (with the Greek letters ε (epsilon) and α (alphá) in place of e and a). Almost all the world’s characters have a Unicode value, but Internet Explorer is usually set up to recognize only a single language (such as English). If it comes across a character it doesn’t recognize, it works around the problem by converting all Unicode values into an equivalent value that uses only the ASCII characters supported by the domain name system.

This conversion uses a standard called Punycode. If the domain name uses only ASCII characters, the Punycode value and the Unicode value are the same. For a domain such as εbáy.com, the Punycode equivalent is xn--by--c9b0.com. (The xn--prefix always appears; it tells you that the domain name is encoded.) Internet Explorer encodes the domain to this Punycode value and then surfs to the site. For example, in Figure 3, you can see that I entered http://εbáy.com in the address bar, but Internet Explorer shows the Punycode value http://xn--by--mia42m.com in the status bar. If you were able to successfully surf to this site (it doesn’t exist, of course), you’d also see the Punycode domain in the address bar. (Internet Explorer also displays a message in the information bar telling you that the address contains characters it doesn’t recognize.) In other words, an IDN spoofing site is less likely to fool users because the URL that appears in the status bar and the address no longer looks similar to the URL of the legitimate site.

Figure 3. Internet Explorer encodes IDN domain names to their Punycode equivalents before surfing to the site.

Note that Internet Explorer doesn’t always display Punycode. There are actually three instances where you see Punycode instead of Unicode:

  • The address contains characters that don’t appear in any of the languages you’ve added to Internet Explorer. (To add a language, select Tools, Internet Options, click Languages in the General tab, and then click Add.)

  • The address contains characters from two or more different languages (for example, it contains a Greek character and an Arabic character).

  • The address contains one or more characters that don’t exist in any language.

With Internet Explorer 8, IDN spoofs can work in only a single language, and will work only if the user has added that single language to Internet Explorer.

Internet Explorer comes with a few options that enable you to control aspects of this encoding process and related features. Select Tools, Internet Options, click the Advanced tab, and scroll down the International section, which contains the following check boxes. (You need to restart Internet Explorer if you change any of these settings.)

  • Always Show Encoded Addresses— Activate this check box to tell Internet Explorer to display the encoded Punycode web addresses in the status bar and address bar. If you’re not worrying about IDN spoofing, you can deactivate this check box to see the Unicode characters instead.

  • Send IDN Server Names— When activated, this check box tells Internet Explorer to encode addresses into Punycode before sending them for domain resolution.

  • Send IDN Server Names for Intranet Addresses— When activated, this check box tells Internet Explorer to encode intranet addresses into Punycode before sending them for resolution. Some intranet sites don’t support Punycode, so this setting is off by default.

  • Send UTF-8 URLs— When activated, this check box tells Internet Explorer to send web page addresses using the UTF-8 standard, which is readable in any language. If you’re having trouble accessing a page that uses non-English characters in the URL, the server might not be able to handle UTF-8, so deactivate this check box.

  • Show Information Bar for Encoded Addresses— When activated, this check box tells Internet Explorer to display the following information bar message when it encodes an address into Punycode: This Web address contains letters or symbols that cannot be displayed with the current language settings.

  • Use UTF-8 for Mailto Links— When activated, this check box tells Internet Explorer to use UTF-8 for the addresses in mailto links.
Other -----------------
- Windows 7 : Configuring Internet Explorer Security - Enhancing Your Browsing Privacy (part 4) - InPrivate Browsing and Filtering
- Windows 7 : Configuring Internet Explorer Security - Enhancing Your Browsing Privacy (part 3) - Enhancing Online Privacy by Managing Cookies
- Windows 7 : Configuring Internet Explorer Security - Enhancing Your Browsing Privacy (part 2) - Clearing the Address Bar List
- Windows 7 : Configuring Internet Explorer Security - Enhancing Your Browsing Privacy (part 1)
- Windows 7 : Managing Windows Firewall (part 2)
- Windows 7 : Managing Windows Firewall (part 1)
- Windows 7 : Checking Your Computer’s Security Settings (part 2)
- Windows 7 : Checking Your Computer’s Security Settings (part 1)
- Securing Windows 7 : Thwarting Snoops and Crackers (part 2) - Locking Your Computer Manually, Automatically
- Securing Windows 7 : Thwarting Snoops and Crackers (part 1) - First, Some Basic Precautions
- Windows 7 : Working with the Command-Line Tools (part 3) - Working with System Management Tools
- Windows 7 : Working with the Command-Line Tools (part 2) - Working with File and Folder Management Tools
- Windows 7 : Working with the Command-Line Tools (part 1) - Working with Disk Management Tools
- SOA with .NET and Windows Azure : System.Transactions
- Windows 7 : Understanding Batch File Basics (part 2) - Using Batch File Parameters
- Windows 7 : Understanding Batch File Basics (part 1) - Creating Batch Files
- Discovering the Microsoft Azure Platform
- SOA with .NET and Windows Azure : Microsoft Messaging Queue (MSMQ)
- Windows 7 : Working at the Command Line (part 3)
- Windows 7 : Working at the Command Line (part 2)
 
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
- First look: Apple Watch

- 3 Tips for Maintaining Your Cell Phone Battery (part 1)

- 3 Tips for Maintaining Your Cell Phone Battery (part 2)
programming4us programming4us