The flaw allows for phishers to spoof legitimate Web sites by registering a similar domain name using non-English characters. For example, the authors of the paper detailing the vulnerability registered www.microsoft.com replacing the English 'c' and 'o' with the Russian letters 'c' and 'o'. Thus, IDN, a technology that was promoted as making the Web more usable for non-English-speaking users, nevertheless has the potential to promote widespread phishing attacks. The students have already documented one instance when an unscrupulous Web site operator posted a story promoting the stock of Pair Gain Technologies purportedly from Bloomberg which lifted the stock 31 percent before it crashed. Their paper also outlines a proof-of-concept in which the pair hijacked PayPal's Web site using a domain registered in a non-English alphabet.
Of the browsers mentioned above, Mozilla is the only vendor to provide a way to block this kind of attack by turning off support for IDN. To do so, edit the compreg.dat file located in your Firefox profile directory. The support notice board on Mozilla.org suggests opening this file in a text editor, such as WordPad, and commenting out all lines containing IDN by adding '#' to each line. For example:
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.soMeanwhile, Mozilla is working on a more permanent fix to the problem, while Opera has no plans to change their implementation of IDN. The open source community also offers tools to prevent exploitation of IDN support: Disable IDN support in firefox, for good
http://friedfish.homeip.net/extensions/no-idn.xpi
Trustbar for firefox
This tool shows punycoded IDN, and allows for better SSL management
http://trustBar.mozdev.org
Safari IDN spoofing defense:
http://bob.pythonmac.org/archives/2005/02/07/idn-spoofing-defense-for-safari/
