I had no trouble registering an xn--papal-yg2b.com domain (and why should I, after all?) and as it happens this is exactly where your browser (given it's vulnerable to this attack, see further) will take you when you decide to visit PayPal.com using this link: paỵpal.com.

OK, what did just happen? Obviously the site you just visited was not PayPal. It's because in the link there is an additional character that adds a dot ( ̣) under its preceding character (y in this case). Depending on a font that one uses in order to display this funny string, the dot is more or less noticeable. Surely enough though, being motivated by other's money, a malicious person could find a combination of a character and a diacritic that is way less easy to spot, thus making a phishing attack even more of a real threat.

And here is how it looks like in HTML:

<p>
I had no trouble registering an <em>xn--papal-yg2b.com</em> domain (and why should I, after all?) and as it happens this is exactly where your browser (given it's vulnerable to this attack, see further) will take you when you decide to visit <a href='http://pay&#803;pal.com'>PayPal.com</a> using this link: <a href='http://pay&#803;pal.com'>pay&#803;pal.com</a>.
</p>

Which browsers are vulnerable to an attack based on this flaw? I've looked at the four most popular brands, being: IE (7.0.5730.13), Firefox (2.0.0.7), Opera (9.23, build 8808) and Safari (3.0.3, win32, build 522.15.5) and here is what I've found.

Firefox

Firefox (2.0.0.7) seems to be secure against this type of attack. Far a mysterious reason, some of the URLs containing non-ASCII characters do not seem to be encoded to an ACE form before displaying in both Firefox's status bar and its address bar (move your mouse over this link). Nevertheless, from my observations it seems that, at least the windows build of the Firefox, does not even attempt to resolve such domain name. Instead it just displays a Server could not be found error message. Of course I'm not sure as to all the weird combinations of the Unicode characters, but a few pokes here and there have shown Firefox stubbornly refusing to even try to connect. Plus for Firefox in this then.

IE7

IE (7.0.5730.13)

shows the visually spoofed URL in both: the status bar

and the address bar.

It looks pretty bad and may serve as a helper in a phishing attack. Fortunately there are some helpers.

First of all the URL displayed as a IE's window title is somewhat indicative of something wrong going on. I guess we owe it to some quirks in XP's Unicode implementation, so it shouldn't be assumed to be like this in Vista too, as guys at MS could've fixed that already. If you have Vista, I'd appreciate if you could let me know how it is there.

Another thing is the IDN button next to the address bar. It shows you that the URL you've accessed contains some non-ASCII characters. So, you'd probably want to double check in those two places if the link you've followed is really where you wanted to go.

Safari

Safari (3.0.3, win32, build 522.15.5)

looks like it is vulnerable to this kind of visual spoofing in both: the address bar and the window name.

Kind of a mitigation to a threat of a phishing attack is the fact that the name is properly displayed in a status bar, but this factor loses its impact due the fact that the status bar in Safari is turned off by default.

Opera

Well, to be honest, Opera (9.23, build 8808)

is the worst of the breed in this respect. It's vulnerable to both, the address bar visual spoofing

and the tooltip spoofing.

Again, there are some quirks in the Unicode processing (probably the XP is to blame here), so the name in the window title looks somewhat weird. But to be honest, if you're not looking specifically for this, you're not going to spot this. So, what you'd probably like to do is look in this direction from time to time.

But. It's not the end... I said "the worst of the breed", didn't I? Well, guess what, the latest version of Opera is still vulnerable to the age old phishing attack described here. Really scary.

A takeaway?

Well, it's really important to remember that (at least for now) a browser may not always bother to convert a URL to the ACE format for you and show it in a way that looks (but only looks) as an address of a place you would like to go to or be at.

So, when performing security sensitive actions (surfing to your bank, or so) trusting your browser to do all the checks for you, convenient as it is, doesn't seem to be the wisest thing to do. So, instead of following a suspicious link, simply type the address in by hand. Simple as that!

If you really need to follow a link (although I can't see why exactly would one be insisting on this, if there is any doubt regarding its authenticity) and the site supports SSL, you will want to make sure you checked if a certificate maches the domain you intended to visit and that the trust chain of the certifying parties looks good.

If you really need to click on the link and there is no SSL, never perform any privacy sensitive actions there. And it's always good to have a careful look at the status bar (or a tooltip in Opera) before clicking a link and at the address bar when you've already followed it. If at IE7, you may want to look for the IDN (Internationalized Domain Names) button just right to the address bar — if it's there you've visided an address containing some non-ASCII characters (which, of course is wrong only if you didn't intend so).

Generally, think when you're about to click a link.