Productivity Portfolio

This Firefox 1.0.1 release fixes an issue with Unicode and URLs. Unicode is a set of characters that represents most alphabets, math symbols, currency symbols, and many special characters. Although most of us are familiar with the character set representing our keyboard, Unicode includes many more characters since it has an international emphasis.

Because Unicode is a superset, there are some characters that look alike. This is similar to the problem when you enter a software registration key only to find you mistook the 0 for an O or the l for a 1. This simple substitution was one of the first tricks phishers used to deceive users.

To see how similar some of these Unicode character representations are, try the following:

1. From the Windows Start menu, select Run

2. Type charmap in the Open: text box

3. Click OK. The Character Map program should appear.

4. At the bottom of the dialog, check the box labeled Advanced view

5. In the Go to Unicode: box, type 0061

Based of the font you selected, you should see something like this:

6. Now, click Reset and type 0430 in the Go to Unicode: box

The results should look like the following:

As the pictures show, the lowercase versions of the Latin A and Cyrillic A look similar.

The reason this issue impacts Firefox is that it is one of the web browsers that supports IDN, which is relatively new. IDN is the abbreviation for International Domain Names and it allows web addresses to show their native language characters. This means you could see web addresses represented in any of the 35 language scripts covered by Unicode. You could also see phishers registering domains that use some of these similar characters.

Firefox fixed this issue by using punycode. Punycode is a subset of Unicode that is used when a part of a domain name can't be represented by ASCII characters. You can see an example of this by visiting the Shmoo Group demo page. Using Firefox 1.0 if we place our mouse over the first hyperlink, the status bar displays http://www.theshmoogroup.com/ as the picture below illustrates. Look closely at status bar at the first and second os.

After we install Firefox 1.0.1, the status bar changes and shows the punycode representation.

The xn-- added to the domain name and the second o is removed and represented with -bgk at the end.

The best protection is still to type URLs into the browser when possible. However, we realize that many times it's more convenient to use supplied hyperlinks from emails and web pages.