Full Disclosure mailing list archives
Re: state of homograph attacks
From: Peter Besenbruch <prb () lava net>
Date: Mon, 07 Feb 2005 12:21:59 -1000
Markus Wernig wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Valdis.Kletnieks () vt edu wrote: | On Mon, 07 Feb 2005 11:06:18 PST, Richard Jacobsen said: | | |>Open up firefox, put about:config into the address bar, and then change |>network.enableIDN to false by double clicking on it. If it is working |>successfully, you should get a message "domainname.com could not be found"|>when clicking on an IDN link. You shouldn't need to restart your browser.| | | The actual bug referenced by Gerald is that if you use about:config to set it, | it *works* without having to restart, but at the next restart of the browser, | the setting no longer works... | Yes, it does set network.enableIDN = false, but on startup this seems to get ignored. What I had to do to disable it (probably a brute hack): there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that reads along the lines of"{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so"The head of the file says "don't edit", but after deleting the above line, firefox wasn't able to resolve the punycode url anymore after a restart.
Unfortunately, Firefox 1.0 for Linux still displays punycode after deleting the line. They demo on http://www.shmoo.com/idn/ still works.
I should also point out that Konqueror 3.3.2 is also vulnerable, but the the SSL demo brings up a certification warning. To the clueless, such a warning might not do much, but to some, a bad certification on an SSL page is a red flag.
Perhaps we should all ask Microsoft to port Internet Explorer to Linux. That way we would all be safe.
-- Hawaiian Astronomical Society: http://www.hawastsoc.org HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- state of homograph attacks fulldisclosure (Feb 06)
- Re: state of homograph attacks Simon Roberts (Feb 06)
- Re: state of homograph attacks Gerald Holl (Feb 07)
- Re: state of homograph attacks Richard Jacobsen (Feb 07)
- Re: state of homograph attacks Valdis . Kletnieks (Feb 07)
- Re: state of homograph attacks Markus Wernig (Feb 07)
- Re: state of homograph attacks Peter Besenbruch (Feb 07)
- Re: state of homograph attacks Markus Wernig (Feb 07)
- Re: state of homograph attacks Richard Jacobsen (Feb 07)
- Re: state of homograph attacks Nick FitzGerald (Feb 07)
- RE: state of homograph attacks Aditya Deshmukh (Feb 08)