The second beta release of Internet Explorer 7 will have support for URLs written in different languages, widely seen as critical for making the Internet more international, according to a Microsoft developer.
Domain Names Converted
Internet Explorer 7 will use application programming interfaces (APIs) to convert domain names to punycode, wrote Vishu Gupta, an IE developer, in a blog posting earlier this week. Punycode is an ASCII translation of Unicode domain names, the format allowed by the domain name system.
IE 6 does not support punycode, and some Web sites work around it by linking to punycoded URLs, Gupta wrote. In IE 7, the Unicode domain names will be converted to punycode just before the domain name is resolved and sent to the proxy.
Users can turn off the international domain name function in the control panel under a new control, called "international." IE 7 would then function the same as IE 6, Gupta wrote.
While IDN compatibility expands the Internet's accessibility for non-English speakers, it also increases the chance of spoofing attacks. In "homograph" attacks, the goal is to use similar characters in a Web site's name as a legitimate site but leading to a different one. Using the number "1" instead of the letter "l" is one hard-to-see distinction.
But conversion to IDN opens up the spoof character set from "a few dozen characters to many thousands of characters from all of the world's languages, thereby increasing the attack surface for spoofing attacks immensely," Gupta wrote.
Sometimes the difference is unnoticeable, such as when the Cyrillic character "a" is substituted for the Latin "a," allowing for a spoof of the name of another site, according to a Microsoft information sheet on IDN.
Trade-0ffs for Security
Showing the punycode would all but eliminate spoofing but it's not user friendly, Gupta wrote. IE 7 will put restrictions on the scripts allowed to be displayed in the address bar based on the user's browser language settings. If a domain name has characters that aren't in the user's chosen languages, the address will be shown in punycode, he wrote.
When IE 7 has prevented a domain name from being viewed as Unicode, an "information bar" notifies the user. Also new will be a "phishing filter" where target domain names are checked to see if it is a reported phishing site, Gupta wrote. The filter will also be able to determine if a domain name looks ambiguous, warning the user.
The first beta of IE 7 has been available since July, and an updated pre-release build will be posted during the first quarter of 2006, Microsoft said earlier in December. Microsoft plans to release IE 7 before its Windows Vista OS, due before the end of 2006.