Understanding Internationalized Domain
Names
This tip brought to you by the Department of Homeland
Security & US-CERT
You may have been exposed to internationalized domain names (IDNs) without realizing
it. While they typically do not affect your browsing activity, IDNs may give attackers an
opportunity to redirect you to a malicious web page.
What are internationalized domain names?
To decrease the amount of confusion surrounding different languages, there is a standard
for domain names within web browsers. Domain names are included in the URL (or web
address) of web site. This standard is based on the Roman alphabet (which is used by the
English language), and computers convert the various letters into numerical equivalents.
This code is known as ASCII (American Standard Code for Information Interchange).
However, other languages include characters that do not translate into this code, which is
why internationalized domain names were introduced.
To compensate for languages that incorporate special characters (such as Spanish, French
or German) or rely completely on character representation (such as Asian or Arabic
languages), a new system had to be developed. In this new system, the base URL (which
is usually the address for the home page) is dissected and converted into a format that is
compatible with ASCII. The resulting URL (which contains the string "xn--" as well as a
combination of letters and numbers) will appear in your browser's status bar. In newer
versions of many browsers, it will also appear in the address bar.
What are some security concerns?
Attackers may be able to take advantage of internationalized domain names to initiate
phishing attacks (see Avoiding Social Engineering and Phishing Attacks for more
information). Because there are certain characters that may appear to be the same but
have different ASCII codes (for example, the Cyrillic "a" and the Latin "a"), an attacker
may be able to "spoof" a web page URL. Instead of going to a legitimate site, you may be
directed to a malicious site, which could look identical to the real one. If you submit
personal or financial information while on the malicious site, the attacker could collect
that information and then use and/or sell it.
How can you protect yourself?



Type a URL instead of following a link — Typing a URL into a browser rather
than clicking a link within a web page or email message will minimize your risk.
By doing this, you are more likely to visit the legitimate site rather than a
malicious site that substitutes similar-looking characters.
Keep your browser up to date — Older versions of browsers made it easier for
attackers to spoof URLs, but most newer browsers incorporate certain protections.
Instead of displaying the URL that you "think" you are visiting, most browsers
now display the converted URL with the "xn--" string. Internet Explorer does not
currently support IDNs, so you will see an error message if you try to visit a URL
that includes non-ASCII characters.
Check your browser's status bar — If you move your mouse over a link on a
web page, the status bar of your browser will usually display the URL that the
link references. If you see a URL that has an unexpected domain name (such as
one with the "xn--" string mentioned above), you have likely encountered an
internationalized domain name. If you were not expecting an internationalized
domain name or know that the legitimate site should not need one, you may want
to reconsider visiting the site. Browsers such as Mozilla and Firefox include an
option in their security settings about whether to allow the status bar text to be
modified. To prevent attackers from taking advantage of JavaScript to make it
appear that you are on a legitimate site, you may want to make sure this option is
not enabled.
Authors: Mindi McDowell, Will Dormann, Jason McCormick
Produced 2005 by US-CERT, a government organization. You are permitted to reproduce
and distribute the US-CERT Tips in whole or in part, without changing the text you use,
provided that you include the copyright statement or "produced by" statement and use the
document for noncommercial or internal purposes. For commercial use or translations,
send your email request to webmaster@us-cert.gov.