Re: state of homograph attacks

[Markus Wernig <listener () wernig net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter Besenbruch wrote:
| Markus Wernig wrote:
|
|> Yes, it does set network.enableIDN = false, but on startup this seems to
|> get ignored. What I had to do to disable it (probably a brute hack):
|> there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that
|> reads along the lines of
|>
"{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so"

|>
|>
|> The head of the file says "don't edit", but after deleting the above
|> line, firefox wasn't able to resolve the punycode url anymore after a
|> restart.
|
|
| Unfortunately, Firefox 1.0 for Linux still displays punycode after
| deleting the line. They demo on http://www.shmoo.com/idn/ still works.
|
Well, I do run FF 1.0 on linux here (1.0-r3 on gentoo, but I do realize
that it's a source install, self-compiled), and even after re-enabling
network.enableIDN in about:config, it _does_ display the unicode
character (cyrillic "a") on the page, but does _NOT_ load the URL when
clicking on any of the links.
Funny detail: when hovering over the link, the status bar displays the
paypal "lookalike", as soon as I click on it, it changes to
"p%D0%B0ypal.com" - but that's probably more for a FF bugtracking list ...

lg /m
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCCAU58BX/d8pVi/cRAgzkAKDHVUxe2XQ4wnmyUVmtAaBQOFYbrwCcCza0
LQDHJMcvG1C4LsLUSjRssBE=
=BYKL
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html