IDN Homograph Attack - Defending Against The Attack

Defending Against The Attack

The simplest defense is for web browsers not to support IDNA or other similar mechanisms, or for users to turn off whatever support their browsers have. That could mean blocking access to IDNA sites, but generally browsers permit access and just display IDNs in Punycode. Either way, this amounts to abandoning non-ASCII domain names.

One problem with displaying IDNs in Punycode is that then, effectively, every such address is "a homograph" of every other. Since typical users cannot read punycode, any Chinese site rendered in Punycode would be indistinguishable from any other Chinese site.

Firefox and Opera display punycode for IDNs unless the top-level domain (TLD, for example, .ac or .museum) prevents homograph attacks by restricting which characters can be used in domain names. They both also allow users to manually add TLDs to the allowed list.

Internet Explorer 7 allows IDNs except for labels that mix scripts for different languages. Labels that mix scripts are displayed in punycode. There are exceptions to locales where ASCII characters are commonly mixed with localized scripts.

As an additional defense, Internet Explorer 7, Firefox 2.0 and above, and Opera 9.10 include phishing filters that attempt to alert users when they visit malicious websites.

Starting with version 7, Internet Explorer was capable of using IDNs, but it imposes restrictions on displaying non-ASCII domain names based on a user-defined list of allowed languages and provides an anti-phishing filter that checks suspicious Web sites against a remote database of known phishing sites.

On February 17, 2005, Mozilla developers announced that the next software version still has IDN support enabled, but displaying the Punycode URLs instead, thus thwarting some attacks exploiting similarities between ASCII and non-ASCII characters, while still permitting access to web sites in an IDN domain.

Since then, both Mozilla and Opera have announced that they will be using per-domain whitelists to selectively switch on IDN display for domain run by registries which are taking appropriate homograph spoofing attack precautions. As of September 9, 2005, the most recent version of Mozilla Firefox as well as the most recent Internet Explorer display the spoofed Paypal URL as "http://www.xn--pypal-4ve.com/", clearly different from the original.

Safari's approach is to render problematic character sets as Punycode. This can be changed by altering the settings in Mac OS X's system files.

Google Chrome displays an IDN only if all of its characters belong to one (and only one) of the user's preferred languages.

With the advent of internationalized country codes spoofing will be minimized. For example, the Russian TLD .рф only accepts Cyrillic names, forbidding the mix with Latin or Greek characters. However the problem in .com and other gTLDs remains open. ICANN has implemented a policy prohibiting any potential internationalized TLD from choosing letters that could resemble an existing Latin TLD and thus be used for homograph attacks. Proposed IDN TLDs .бг (Bulgaria), .укр (Ukraine) and .ελ (Greece) have been rejected or stalled because of their perceived resemblance to Latin letters (however, Serbian .срб was accepted, despite its resemblance to the Latin alphanumeric cp6).

These methods of defense only extend to within a browser. Homographic URLs that house malicious software can still be distributed, without being displayed as Punycode, through e-mail, social networking or other Web sites without being detected until the user actually clicks the link. While the fake link will show in Punycode when it is clicked, by this point the page has already begun loading into the browser and the malicious software may have already been downloaded onto the computer. Television station KBOI-TV raised these concerns when an unknown source (registering under the name "Completely Anonymous") registered a domain name homographic to its own to spread an April Fool's Day joke regarding the Governor of Idaho issuing a supposed ban on the sale of music by Justin Bieber.

Aside from its better known, and more malicious, purposes, homograph spoofing can be used for better purposes, such as address munging, to thwart spam bots.