Internationalized Domain Names - IDN

The original specifications for the Domain Name System (DNS) limited the characters that were allowed in domain names to the set of alphanumeric characters in ASCII, plus the hyphen (-) and the period (.). As the Internet spread out across the world, away from its North American origins, demand for a new system that supported the many different languages and scripts across the world grew. The term "Internationalized Domain Names" (or IDN) refers to a domain name that uses recently adopted standards that modify the existing DNS protocols and standards to support multiple languages and scripts.

Security Implications

It was realised as far back as December 2001 that the IDN standards allowed for so-called "homograph attacks", that is, the registration of domain names using characters from non-Latin scripts that, when rendered in client programs, would be indistinguishable from other, all-Latin domains. This allows an attacker to craft a URL and corresponding website that would deceive all but the most paranoid of victims. However, support for the IDN standards had yet to be widely deployed in client programs such as web browsers and e-mail readers.

By February 6, 2005, the popularity of the Firefox web browser meant that a large number of users had IDN-capable client programs, and at the ShmooCon conference, an example of a homograph spoof was demonstrated, which received considerable press attention.

The attack in question used a domain name that in the Punycode encoding system is expressed as "xn--pypal-4ve.com". When converted into a human readable format, this domain name is indistinguishable from "paypal.com". The demonstration also showed that an SSL certificate could be issued for "xn--pypal-4ve.com", even further reducing the chance of the user discovering the attack.

Subsequent to the coverage of this demonstration, support for IDN domains was disabled in Firefox and some other client programs, with the intention of re-enabling it when the potential security implications could be mitigated.

In November 2005, ICANN issued a new set of guidelines for TLD registry operators regarding the implementation of support for IDN domains. The guidelines suggest an "inclusion-based" approach, restricting the range of characters allowed in domain names, and also restricting the range of Unicode blocks that may be used.

External Links

• IDN page on WikiPedia
• The Multilingual Internet has many dimensions
• Study Group 17 Questionnaire on information about experiences on the use of IDN