A dangerous spoofing security hole has been found in almost every browser on the market -- except one.
Mozilla, Firefox, Safari, OmniWeb, Opera and Netscape all suffer from the "moderately critical" vulnerability that allows the spoofing of address bar URLs and SSL certificates, but, incredibly Microsoft Corp.'s Internet Explorer gets a clean bill of health.
Publicized by security company Secunia, the flaw affect the range of browsers using the open-source Gecko browser kernel. Anyone using an affected browser would be able to visit spoofed websites without being aware of it, something that would aid any crime based on setting up bogus websites, such as phishing.
The flaw arises from the way the named browsers resolve web addresses that include international characters in International Domain Name (IDN) URLs. Russian researchers Evgeniy Gabrilovich and Alex Gontmakher first outlined the potential for such a spoofing issue in 2002, in what was then a theoretical paper, The Homograph Attack. Exploiting the hole could, they reasoned, allow them to register a "homographic" variant of http://www.microsoft.com that included Unicode/UTF-8-defined Russian characters similar to certain ASCII characters.
They speculated that some browsers would either resolve these characters in a garbled way or would, as has turned out to be the case, present them as if the registered domain was actually the real Microsoft.com. Users could also be fooled into believing the bogus site was protected by an SSL certificate when it wasn’t.
There is no patch for the vulnerability though users can at least test browsers for it on the Secunia website.
Joined: Sat Oct 16, 2004 7:44 pm Posts: 8910 Location: Santa Cruz Gender: Male
Angela wrote:
Buggy wrote:
Edit: Where did my other post go?
You didn't delete it? Weird.
I have a feeling I've been duped Either that or I must have done something stupid and didnt know I did, which may not be far from the relm of possibilities.
Joined: Sat Oct 16, 2004 11:38 pm Posts: 4412 Location: red mosquito
Here's the Firefox fix:
Quote:
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
I have a feeling I've been duped Either that or I must have done something stupid and didnt know I did, which may not be far from the relm of possibilities.
Joined: Sat Oct 16, 2004 11:38 pm Posts: 4412 Location: red mosquito
tommymctom wrote:
Here's the Firefox fix:
Quote:
1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Joined: Sun Oct 17, 2004 12:12 am Posts: 1080 Location: boulder
Let me point out a few things. First, Secunia is involved (remember them? Where is peeps?).
Secondly, that is NOT a fix for Firefox. It'll work right when you switch it but as soon as you restart your browser, you're back to it not working again.
Thirdly, this isn't a flaw in Firefox, Opera, etc., it's a flaw in the standards that dictate how these browsers work. These browsers are correctly implementing the standard - for example, when Opera was contacted about this, they said they're not even going to provide a workaround because they are doing things correctly. The only reason Microsoft fared okay on this is because they're not a standards browser, the single most annoying thing to anyone who does web design (it's the reason your website can look completely screwed up in IE and not the other browsers, or vice versa).
_________________ "my fading voice sings, of love..."
Joined: Sun Oct 17, 2004 2:18 pm Posts: 946 Location: State College
stonecrest wrote:
Let me point out a few things. First, Secunia is involved (remember them? Where is peeps?).
Secondly, that is NOT a fix for Firefox. It'll work right when you switch it but as soon as you restart your browser, you're back to it not working again.
Thirdly, this isn't a flaw in Firefox, Opera, etc., it's a flaw in the standards that dictate how these browsers work. These browsers are correctly implementing the standard - for example, when Opera was contacted about this, they said they're not even going to provide a workaround because they are doing things correctly. The only reason Microsoft fared okay on this is because they're not a standards browser, the single most annoying thing to anyone who does web design (it's the reason your website can look completely screwed up in IE and not the other browsers, or vice versa).
so what should be done about this problem?
_________________ paint a picture using only gray
light your pillow. lay back. watch the flames...
According to this thread on the mozilla forum, there is a temporary workaround different from the one posted above:
________________________________________
Workaround
This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (Common profile locations).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
Users browsing this forum: No registered users and 2 guests
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot post attachments in this forum
