Security researcher 3ric Johanson reported in discussions with Richard Newman and Holt Sorenson that the prevention measures for homograph attacks with Internationalized Domain Names (IDN) were incomplete. IDN allows non-English speakers to use domains in their local language. Many supported characters are similar or identical to others in English, allowing for the potential spoofing of domain names and for phishing attacks when not blocked.

Mozilla had added .com, .net, and .name top-level domains to its IDN whitelist, allowing for IDN use without restrictions, when IDN registration protections at registrars were incomplete. This has been fixed by removing the .com, .net, and .name top-level domains from the IDN whitelist and implementing technical restrictions against script-mixing in domain labels. 


External Reference:

http://www.mozilla.org/security/announce/2013/mfsa2013-61.html


Acknowledgements:

Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges 3ric Johanson, Richard Newman and Holt Sorenson as the original reporter.

Statement:

This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5 and 6