You are currently viewing a snapshot of www.mozilla.org taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to www.mozilla.org, please file a bug.



You are here: Known Vulnerabilities in Mozilla Products (Firefox 1.0.1) > MFSA 2005-29

Mozilla Foundation Security Advisory 2005-29

Title: Internationalized Domain Name (IDN) homograph spoofing
Severity: High
Risk: Moderate
Reporter: Eric Johanson
Products: Firefox, Mozilla Suite

Fixed in: Firefox 1.0.1
  Mozilla Suite 1.7.6

Description

Internationalized Domain Names (IDN) allow non-English speakers to use domains in their local language. Because many supported characters are similar to other (if not identical in some fonts) there is the possibility this could be used to construct perfect, indistinguishable phishing sites.

As a temporary measure the Mozilla Foundation has decided to turn off IDN and instead will display such domains in their raw "punycode" form. IDN will be re-enabled when the domain registries, standards bodies, and browser vendors can agree on a plan to prevent the use of IDN domains in phishing scams.

Workaround

Upgrade to a fixed version.

References