[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Will Kamishlian <will@xxxxxxxxxx>
Date: Wed, 9 Feb 2005 10:31:30 -0500

I tested the following browsers against the proof of concept page
(www.shmoo.com/idn):

  - dillo (0.8.3)
  - lynx (2.8.5)
  - konqueror (3.3)

Testing was done on Linux 2.6.9 (generic)

Dillo and lynx handle the links well (dillo returns a DNS error and lynx
reports an invalid URL).  Konqueror opens the non-SSL link and displays
the URL as "http://www.paypal.com/";.  For the SSL page, Konqueror provides
a warning that the IP address does not match the issuer domain. If the
user accepts the certificate, the page is presented showing the URL as
"https//www.paypal.com". 

-Will Kamishlian

Follow-Ups:
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Peter J. Holzer

References:
- International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
  - From: Brandon Kovacs

Prev by Date: Re: GMail / Google Groups ESMTP software b0f
Next by Date: [SECURITY] [DSA 672-1] New xview packages fix potential arbitrary code execution
Previous by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Next by thread: Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread