Good News Firefox Users!
<div class="IPBDescription">IDN exploits will be dealt with</div> <!--QuoteBegin--></div><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Mozilla Foundation Response to IDN Homograph Spoofing Attack
Monday February 14th, 2005
Last week, we reported that Mozilla is vulnerable to a homograph spoofing attack using international domain names (IDNs). Today, Gervase Markham, acting on behalf of staff@mozilla.org and drivers@mozilla.org, announced the Mozilla Foundation's short-term response. In the forthcoming Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be disabled (bug 282270). For those users that need it, an XPI will be released to turn IDN support back on (bug 282269).
This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1. For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names (the ICANN guidelines specifically warn against this). More discussion of the problem and possible solutions can be found in bug 279099 (please do not add unnecessary comments to any of the bugs linked to this article).
Update: Gerv has posted a followup clarifying the change and the likely long-term solutions. He also confirms that there will be a Mozilla 1.7.6 release with IDN disabled. Netcraft also has a nice report outlining the problem and the temporary solution (note that despite what Netcraft says, this article is not an official Mozilla Foundation advisory).<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
--http://www.mozillazine.org/talkback.html?article=6073
The short version: Firefox 1.01 will have IDN disabled by default (an XPI can be usd to turn it back on) and Firefox 1.1 will have a more permanent solution. In the meantime if you are running Firefox and haven't disabled IDN properly, heres how to do it:
Browse to "C:\Documents and Settings\<i>YourUserName</i>\Application Data\Mozilla\Firefox\Profiles\<i>random</i>.default" and open "compreg.dat" with notepad. Find all instances of "IDN" and comment out those lines by adding a "#" in front of them. You should backup compreg.dat before you do this. Now simply restart your browser. Note that I have heard that this can cause problems if you install extentions after doing it.
EDIT: There is a simpler way to do this.
1. Type "about:config" in the URL bar, then scroll down to network:enableIDN -> double-click and set to false;
2. Go to "Tools" -> "Privacy" and clear the cache;
3. Then restart Firefox. You are now protected.
<b>Make sure that you do step 2 or the the setting will revert after the restart!</b>
EDIT 2: <b>Ignore the above method, it doesn't work!</b>
I made the mistake of taking someones word for it, after testing it myself I have determined that it doesn't work. Method 1 still does however.
You can test your vulnerability <a href='http://www.shmoo.com/idn/' target='_blank'>here</a>
Monday February 14th, 2005
Last week, we reported that Mozilla is vulnerable to a homograph spoofing attack using international domain names (IDNs). Today, Gervase Markham, acting on behalf of staff@mozilla.org and drivers@mozilla.org, announced the Mozilla Foundation's short-term response. In the forthcoming Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be disabled (bug 282270). For those users that need it, an XPI will be released to turn IDN support back on (bug 282269).
This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1. For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names (the ICANN guidelines specifically warn against this). More discussion of the problem and possible solutions can be found in bug 279099 (please do not add unnecessary comments to any of the bugs linked to this article).
Update: Gerv has posted a followup clarifying the change and the likely long-term solutions. He also confirms that there will be a Mozilla 1.7.6 release with IDN disabled. Netcraft also has a nice report outlining the problem and the temporary solution (note that despite what Netcraft says, this article is not an official Mozilla Foundation advisory).<!--QuoteEnd--></td></tr></table><div class='postcolor'><!--QuoteEEnd-->
--http://www.mozillazine.org/talkback.html?article=6073
The short version: Firefox 1.01 will have IDN disabled by default (an XPI can be usd to turn it back on) and Firefox 1.1 will have a more permanent solution. In the meantime if you are running Firefox and haven't disabled IDN properly, heres how to do it:
Browse to "C:\Documents and Settings\<i>YourUserName</i>\Application Data\Mozilla\Firefox\Profiles\<i>random</i>.default" and open "compreg.dat" with notepad. Find all instances of "IDN" and comment out those lines by adding a "#" in front of them. You should backup compreg.dat before you do this. Now simply restart your browser. Note that I have heard that this can cause problems if you install extentions after doing it.
EDIT: There is a simpler way to do this.
1. Type "about:config" in the URL bar, then scroll down to network:enableIDN -> double-click and set to false;
2. Go to "Tools" -> "Privacy" and clear the cache;
3. Then restart Firefox. You are now protected.
<b>Make sure that you do step 2 or the the setting will revert after the restart!</b>
EDIT 2: <b>Ignore the above method, it doesn't work!</b>
I made the mistake of taking someones word for it, after testing it myself I have determined that it doesn't work. Method 1 still does however.
You can test your vulnerability <a href='http://www.shmoo.com/idn/' target='_blank'>here</a>
Comments
Firefox leetness makes up for it, anyway.
1337 posts \o/
<!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused-fix.gif' border='0' style='vertical-align:middle' alt='confused-fix.gif' /><!--endemo-->
You have no idea HOW bad that is. The example used earlier emulated paypal. Imagine being able to get people's credit card info... Or other information that people usually give to an elite number of trusted sites...
Yes. The reason there's a problem is due to the fact that a group of symbols will translate to a different symbol, and the only place that it can be seen is in the html source. For example, & amp; (without the space) shows up as &. There is a group of letters and symbols to make just about every letter you want, and the example that was posted here replaced the 'a' with some symbols. So, typing in the url will completely avoid this problem. You could also copy to Notepad first, then back to your browser for long url's (I think that would work, anyway).
Yes. The reason there's a problem is due to the fact that a group of symbols will translate to a different symbol, and the only place that it can be seen is in the html source. For example, & amp; (without the space) shows up as &. There is a group of letters and symbols to make just about every letter you want, and the example that was posted here replaced the 'a' with some symbols. So, typing in the url will completely avoid this problem. You could also copy to Notepad first, then back to your browser for long url's (I think that would work, anyway). <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
I just tested your hypothesis and am surprised to find that it indeed does still trigger the exploit! Notpad must support international characters that aren't in the system's current set. But for long URLs you can type in the the first part of the domain (i.e. <a href='http://www.paypal.com/)' target='_blank'>http://www.paypal.com/)</a> and then copy-paste the rest of it.
Yes, but for Firefox to reach its stated goal of taking back the web, then Firefox needs to be so simple AND secure that nubs can operate it.
Hooray for Firefox!
lets all point and laugh while he does nothing about it
Firefox leetness makes up for it, anyway.
1337 posts \o/ <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
That was good timing to call Firefox L337. Too bad the spell will be broken the second you post anything else.
<!--emo&???--><img src='http://www.unknownworlds.com/forums/html/emoticons/confused-fix.gif' border='0' style='vertical-align:middle' alt='confused-fix.gif' /><!--endemo-->
You have no idea HOW bad that is. The example used earlier emulated paypal. Imagine being able to get people's credit card info... Or other information that people usually give to an elite number of trusted sites... <!--QuoteEnd--> </td></tr></table><div class='postcolor'> <!--QuoteEEnd-->
I b0rked my leetness already B<
Well, if I'm going to some paysite I'd never EVER use a link to enter it anyway, but rather enter the adress manually. But maybe that's just me.