Opera fixes IDN 'vulnerability'

A patch has been issued by Opera software that addresses the potential problems surrounding internationalised domain names in its browser
Written by Munir Kotadia, Contributor

Norwegian software developer Opera released a second beta version of its browser on Saturday. Beta 2 plugs a recently discovered vulnerability that could be used in phishing attacks.

The problem arose because certain browsers support a standardised way of representing domain names in the letters or characters of any language. The Internationalised Domain Names (IDN) vulnerability, which affects non-Microsoft browsers such as Opera, Apple's Safari and Firefox, could help phishers create legitimate-looking Web sites.

Christen Krogh, vice-president of engineering at Opera, explained that when visiting secure Web sites, the browser will now display a yellow security bar containing the name of the organisation owning the site’s security certificate and only display ‘trusted’ top level domains (TLDs).

"One of the most important measures to counter phishing attacks is the use of security certificates. The challenge for browser vendors is to better explain the verification of certificates and to make the user more aware of this additional verification before entering into secure transactions," said Krogh.

To specifically address the IDN vulnerability, Opera's updated browser will only display certain TLDs that have been registered with the company.

According to a statement from Opera, the company "will regularly update its list of trusted TLDs, ensuring maximum protection and the best possible user experience".

In addition to improved security, Opera has made Beta 2 easier to customise and added support for Atom newsfeeds. The browser is available for download from the Opera Web site.

The Mozilla Foundation last week updated its Firefox Web browser to fix the IDN vulnerability, among other bugs.

Is your browser vulnerable to the IDN issue? Security Web site Secunia has constructed a test that can check if your browser is affected.

Editorial standards