[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] state of homograph attacks

Markus Wernig wrote: 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Valdis.Kletnieks@xxxxxx wrote:
| On Mon, 07 Feb 2005 11:06:18 PST, Richard Jacobsen said:
|
|
|>Open up firefox, put about:config into the address bar, and then change
|>network.enableIDN to false by double clicking on it. If it is working
|>successfully, you should get a message "domainname.com could not be
found"
|>when clicking on an IDN link. You shouldn't need to restart your browser.
|
|
| The actual bug referenced by Gerald is that if you use about:config to
set it,
| it *works* without having to restart, but at the next restart of the
browser,
| the setting no longer works...
|

Yes, it does set network.enableIDN = false, but on startup this seems to
get ignored. What I had to do to disable it (probably a brute hack):
there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that
reads along the lines of
"{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so" 


The head of the file says "don't edit", but after deleting the above
line, firefox wasn't able to resolve the punycode url anymore after a
restart.

Unfortunately, Firefox 1.0 for Linux still displays punycode after deleting the line. They demo on http://www.shmoo.com/idn/ still works.

I should also point out that Konqueror 3.3.2 is also vulnerable, but the the SSL demo brings up a certification warning. To the clueless, such a warning might not do much, but to some, a bad certification on an SSL page is a red flag.

Perhaps we should all ask Microsoft to port Internet Explorer to Linux. That way we would all be safe.

--
Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html