Windows 7 / Getting Started

Blocking IDN Spoofing

Look-alike attacks (sometimes called homograph attacks) are possible within the ASCII character set. For example, www.alpineskihouse.com would be a valid name for Alpine Ski House, but www.a1pineskihouse.com would be easily mistaken for the valid name-even though the lowercase L has been replaced with the number 1. However, with International Domain Name (IDN), the character repertoire expands from a few dozen characters to many thousands of characters from all the world's languages, thereby increasing the attack surface for spoofing attacks immensely.

The design of the anti-spoofing mitigation for IDN aims to:

  • Reduce the attack surface.
  • Treat Unicode domain names fairly.
  • Offer a good user experience for users worldwide.
  • Offer simple, logical options with which the user can fine-tune the IDN experience.

One of the ways Internet Explorer reduces this risk is by using Punycode. Punycode, as defined in RFC 3492, converts Unicode domain names into a limited character set. With Punycode, the domain name south.contoso.com (which might be used to impersonate south.contoso.com) becomes soth-kva.contoso.com. There is little doubt that showing the Punycode form leaves no ground for spoofing using the full range of Unicode characters. However, Punycode is not very user friendly.

Given these considerations, Internet Explorer 7 and later versions impose restrictions on the character sets allowed to be displayed inside the address bar. These restrictions are based on the user's configured browser-language settings. Using APIs from Idndl.dll, Internet Explorer will detect which character sets are used by the current domain name. If the domain name contains characters outside the user's chosen languages, it is displayed in Punycode form to help prevent spoofing.

A domain name is displayed in Punycode if any of the following are true:

  1. The domain name contains characters that are not a part of any language (such as www.☻.com).
  2. Any of the domain name's labels contains a mix of scripts that do not appear together within a single language. For instance, Greek characters cannot mix with Cyrillic within a single label.
  3. Any of the domain name's labels contain characters that appear only in languages other than the user's list of chosen languages. Note that ASCII-only labels are always permitted for compatibility with existing sites. A label is a segment of a domain name, delimited by dots. For example, www.microsoft.com contains three labels: www, microsoft, and com. Different languages are allowed to appear in different labels as long as all the languages are in the list chosen by the user. This approach is used to support domain names such as name.google.com, where contoso and name are composed of different languages.

Whenever Internet Explorer 7 and later versions prevent an IDN domain name from displaying in Unicode, an Information bar notifies the user that the domain name contains characters that Internet Explorer is not configured to display. It is easy to use the IDN Information bar to add additional languages to the allow list. By default, the user's list of languages will usually contain only the currently configured Microsoft Windows language.

The language-aware mitigation does two things:

  • It disallows nonstandard combinations of scripts from being displayed inside a label. This takes care of attacks such as http://bank.contoso.com, which appears to use a single script but actually contains two scripts. That domain name will always be displayed as http://xn--bnk-sgz.contoso.com because two scripts (Cyrillic and Latin) are mixed inside a label. This reduces the attack surface to single-language attacks.
  • It further reduces the surface attack for single-language attacks to only those users who have chosen to permit the target language.

Users who allow Greek in their language settings, for example, are as susceptible to Greekonly spoofs as the population using English is susceptible to pure ASCII-based spoofs. To protect against such occurrences, the Internet Explorer 7 Phishing Filter monitors both Unicode and ASCII URLs. If the user has opted in to the Phishing Filter, a real-time check is performed during navigation to see whether the target domain name is a reported phishing site. If so, navigation is blocked. For additional defense-in-depth, the Phishing Filter Web service can apply additional heuristics to determine whether the domain name is visually ambiguous. If so, the Phishing Filter will warn the user via the indicator in the Internet Explorer address bar.

Whenever a user is viewing a site addressed by an IDN, an indicator will appear in the Internet Explorer Address bar to notify the user that IDN is in use. The user can click the IDN indicator to view more information about the current domain name. Users who do not want to see Unicode addresses may select the Always Show Encoded Addresses check box on the Advanced tab of the Internet Options dialog box.

[Previous] [Contents] [Next]

In this tutorial:

  1. Managing Windows Internet Explorer
  2. Internet Explorer 8 Improvements
  3. InPrivate Browsing
  4. InPrivate Filtering
  5. Compatibility View
  6. SmartScreen
  7. Domain Highlighting
  8. Tab Isolation
  9. Accelerators
  10. Improvements Previously Introduced in Internet Explorer 7
  11. User Interface Changes
  12. Tabbed Browsing
  13. Search Bar
  14. How to Create a Web Link to Add a Custom Search Provider
  15. How to Configure Custom Search Providers Using the Registry
  16. How to Configure Custom Search Providers Using Group Policy
  17. RSS Feeds
  18. Improved Standards Support
  19. Expanded Group Policy Settings
  20. Defending Against Malware
  21. How Protected Mode Improves Security
  22. How the Protected Mode Compatibility Layer Works
  23. How to Solve Protected Mode Incompatibilities
  24. URL-Handling Protection
  25. Address Bar Visibility
  26. Cross-Domain Scripting Attack Protection
  27. Controlling Browser Add-ons
  28. Add -on Manager Improvements
  29. Protecting Against Data Theft
  30. Security Status Bar
  31. How the Smart Screen Filter Works
  32. How to Configure Smart Screen Options
  33. Deleting Browsing History
  34. Blocking IDN Spoofing
  35. Security Zones
  36. Understanding Zones
  37. Configuring Zones on the Local Computer
  38. Configuring Zones Using Group Policy
  39. Network Protocol Lockdown
  40. Managing Internet Explorer Using Group Policy
  41. Group Policy Settings for Internet Explorer 7 and Internet Explorer 8
  42. New Group Policy Settings for Internet Explorer 8
  43. Using the Internet Explorer Administration Kit
  44. Troubleshooting Internet Explorer Problems
  45. Internet Explorer Does Not Start
  46. An Add-on Does Not Work Properly
  47. Some Web Pages Do Not Display Properly
  48. Preventing Unwanted Toolbars
  49. The Home Page or Other Settings Have Changed