Opera Software has called on its fellow browser makers and the Internet community as a whole to band together in an effort to fix the security issues related to Internationalized Domain Names. The IDN standard was called into question earlier this month following news that it could lead to domain spoofing and phishing attacks.
The problem with IDN stems from its use of the Unicode character set to enable domain names that include international letters. But because the DNS system that facilitates the Internet only understands ASCII, or U.S. English characters, Unicode URLs must be converted by a Web browser into a format called “Punycode.”
In this conversion lies the potential for a malicious Web site to mimic a trusted URL, including its SSL security certificate. With Unicode, it is possible to have numerous characters called “homographs” that appear identical when displayed, but are actually completely different.
For example, paypal.com using a Unicode Cyrillic a actually loads up the URL: xn--pypal-4ve.com. But the Web browser displays the Unicode character as it would a standard ASCII letter, leaving the user unaware of his actual location on the Web.
“Technically speaking, Opera and other non-IE browsers run into a problem because they have implemented a standard correctly,” Carsten Fischer, Operas VP of Desktop Products, told BetaNews. IE is immune to the issue because it has yet to natively support IDN; however, a VeriSign plug-in can provide the functionality.