New Safari spoofing flaw

The Mac may be the best defense against most viruses and spyware, but there is still a need to be careful out there when riding on the wild internet. According to an advisory from Secunia, the flaw uses a visual trick to convince users that they are at a web site that they are not actually visiting.

The basics are that recently (over the last year or two) the internet has begun using domain names that are not strictly required to use the ASCII character set. These special domain names (called IDNs, or Internationalized Domain Names) use a special encoding technique to look up characters such as accents, Kanji, and Cyrillic when they are typed in as parts of the host name of a URL.

The flaw means that you need to remain vigilant when following links in emails messages. As has always been the case, you should only type in your own URLs, not click on URLs in email addresses when you need to go to web sites with secure content (such as paypal or your bank or credit card company).

The problem with this particular issue is that it takes advantage of graphical similarity between characters in the ASCII character set and those in other sets, such as Cyrillic. As an example, it can be hard to tell the difference between: hello and ?????.