Archived - About Safari International Domain Name support

Security Update 2005-003 updates Safari's support for International Domain Names (IDN) to prevent lookalike characters from being used to spoof the URL displayed in the address field, SSL certificate, or status bar. Here's more information about IDN support in Safari and how Security Update 2005-003 affects it.

The Issue

Safari can display Unicode characters in URLs, allowing you to access foreign language websites using their native language. For example, you could enter the Japanese language URL "�?島.jp" to visit the website instead of using the Latin alphabet that represents that domain name to get there.

However, lookalike characters could be used to make users believe that they are viewing a different site than what they actually are. For example, the Cyrillic letter "a" could be used in place of the Latin letter "a," making it difficult for a user to tell if they are at "www.apple.com" or a malicious imposter website that's designed to look like the real one. These sites can be used to collect account numbers, passwords, and other personal information. This can affect any web browser with support for International Domain Names. Security Update 2005-003 addresses this issue.

The Solution

Security Update 2005-003 provides a user-editable list of scripts that are allowed to be displayed natively in domain names. The default list does not include Latin lookalike scripts (Cherokee, Cyrillic, and Greek) that could be used to trick users into navigating to malicious sites.

Domain names containing scripts that are not in the allowed list will be displayed in an ASCII format called "Punycode." For example, an imposter website with the URL "http://www.apple.com/" that uses the Cyrillic letter "a" would be displayed as "http://www.xn--pple-43d.com" for your protection. This conversion prevents disabled scripts from being confused with other scripts.

You can edit the list of allowed scripts to specify exactly what scripts you want displayed. Please note that adding Cherokee, Cyrillic, and Greek will enable Safari to display all scripts, and will expose you to known IDN vulnerabilities. If you have an empty list of scripts, all non-ASCII characters will be displayed in their Punycode equivalents.

You can modify the list of allowed scripts using any text editor as long as you have administrative access. This list is located at:

/System/Library/Frameworks/WebKit.framework/Versions/A/Resources/IDNScriptWhiteList.txt

	Related documents
	108009	Safety tips for handling email attachments and content downloaded from the Internet