Nekochan Net

Official Chat Channel: #nekochan // irc.nekochan.net
It is currently Wed Aug 27, 2014 4:52 am

All times are UTC - 8 hours


Forum rules


Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.



Post new topic Reply to topic  [ 10 posts ] 
Author Message
Unread postPosted: Tue Feb 08, 2005 8:10 am 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
Right off Neowin.net:
Quote:
FireFox fans across the world, grab the Kleenex!

According to a paper recently published by Eric Johanson of the Shmoo Group, users on most Mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc), Safari 1.2.5, Opera 7.54, Omniweb 5 are victim to a complex International Domain Name [IDN] spoof.

This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for Internet Explorer). The Smoo Group have created a proof of concept where the links are directed at "http://www.pаypal.com/", which the browsers punycode handlers render as http://www.xn--pypal-4ve.com.

According to the group there is however an easy to way to detect you're under a spoof attack, cut & paste the url you are accessing into notepad or some other
tool (under OSX, paste into a terminal window) which will allow you to view what character set/pagecode the string is in. You can also view the details of the SSL cert etc.

You can disable IDN support in Mozilla products by setting 'network.enableIDN' to false. There is no known workaround for Opera or Safari. Vendor responses have been varied with VeriSign and Apple failing to respond but Opera believing they have correctly implemented IDN, and will not be making any changes (oops). Mozilla are currently working on finding a good long-term solution. The company provided a clear workaround for disabling IDN temporarily until it can better address the issue.

This latest exploit will provide spammers with a way to trick FireFox, Opera and Safari users into thinking they're on a certain website. Commonly known as Phishing this latest attack by spammers and hackers is frighteningly common.

Update: Many users are reporting the config change in Firefox does not work, currently there is no fix for Firefox.

Neowin's Brandon Goode Contributed to this report


To see if you're vulnerable, take a look here: http://www.shmoo.com/idn/

network.enableIDN set to false works fine for me...


Last edited by unixmuseum on Tue Feb 08, 2005 9:25 am, edited 1 time in total.

Top
 Profile  
 
 Post subject:
Unread postPosted: Tue Feb 08, 2005 8:37 am 
Offline
User avatar

Joined: Fri Jun 06, 2003 3:25 pm
Posts: 573
Location: Italy
many thanks.. worked for me as well with Mozilla/windows.. i'll fix that at home on my Sgi as well.

luckly i still use mozilla nd not yet firefox :D

/me owned by mozilla.

_________________
----
:: jean-claude
:: mimgfx dot com
----


Top
 Profile  
 
Unread postPosted: Tue Feb 08, 2005 9:04 am 
Offline
User avatar

Joined: Wed Feb 18, 2004 1:08 pm
Posts: 62
Location: Manchester, England
Quote:
network.enableIDN set to false works fine for me...


Unfortunately this only works until you re-start Firefox upon which IDN is re-enabled despite having it set to false in about:config

The real fix is to edit compreg.dat as here:

http://forums.mozillazine.org/viewtopic.php?t=215226


Top
 Profile  
 
Unread postPosted: Tue Feb 08, 2005 9:30 am 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
rothers wrote:
Quote:
network.enableIDN set to false works fine for me...


Unfortunately this only works until you re-start Firefox upon which IDN is re-enabled despite having it set to false in about:config

The real fix is to edit compreg.dat as here:

http://forums.mozillazine.org/viewtopic.php?t=215226

DARN! Nice catch! Thanks!


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Mar 05, 2005 3:55 am 
Offline
User avatar

Joined: Fri Nov 28, 2003 11:12 am
Posts: 168
Location: Gothenburg / SWEDEN
has this issue been resolved with the 1.0.1 release or is it sort of a feature thats gone bad and will never be "resolved"..

_________________
Behold my spermlogo, for it is I: Quick, Ambitious, creative and a tad bit sexually oriented.
----------------
[SGI Indigo2 R10K | High Impact | Indigo2 Video for IMPACT with indycam | Irix 6.5.22m]


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Mar 05, 2005 4:39 am 
Offline
Moderator
Moderator
User avatar

Joined: Sun Mar 30, 2003 4:29 am
Posts: 2476
Location: Kabul, Afghanistan, Asia
I believe the necessary code has been or will be rewritten to resolve these IDNs differently and make it apparent to the user... if only I hadn't thrown away the link to that article...

_________________
...only chemist in .af?
Eroteme.ch - eternally unfinished and never started


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Mar 05, 2005 8:46 am 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
makkan77 wrote:
has this issue been resolved with the 1.0.1 release or is it sort of a feature thats gone bad and will never be "resolved"..

Yes, it is solved in 1.0.1


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Mar 05, 2005 10:29 am 
Offline
User avatar

Joined: Fri Nov 28, 2003 11:12 am
Posts: 168
Location: Gothenburg / SWEDEN
ahh great..
'cause all those half 'n half fixes seemed well no good..

_________________
Behold my spermlogo, for it is I: Quick, Ambitious, creative and a tad bit sexually oriented.
----------------
[SGI Indigo2 R10K | High Impact | Indigo2 Video for IMPACT with indycam | Irix 6.5.22m]


Top
 Profile  
 
 Post subject:
Unread postPosted: Sat Mar 05, 2005 11:02 am 
Offline

Joined: Tue Feb 24, 2004 4:10 pm
Posts: 9555
makkan77 wrote:
ahh great..
'cause all those half 'n half fixes seemed well no good..


Actually, it's not entirely fair to blame the browsers. A big part of the problem is with BIND and crappy dns. If you'd like a discussion of poisoned ip's and the failings of BIND, look for Jonathan deBoyne Pollard's writings on the subject. Phishing *shouldn't* be so easy .....


Top
 Profile  
 
 Post subject:
Unread postPosted: Sun Mar 06, 2005 1:15 pm 
Offline

Joined: Mon Apr 19, 2004 3:25 pm
Posts: 2783
Location: Los Angeles, CA
hamei wrote:
Actually, it's not entirely fair to blame the browsers. A big part of the problem is with BIND and crappy dns. If you'd like a discussion of poisoned ip's and the failings of BIND, look for Jonathan deBoyne Pollard's writings on the subject. Phishing *shouldn't* be so easy .....

Maybe, but for once, this doesn't seem to affect IE...

What's amazing with Firefox is the 1984 style of rewriting the history:
"Version X is the most secure web browser in the galaxy" are we told... Until X.01 comes out and then you get a message "Don't use version X, there are so many security holes".

Every time MS releases a security patch, it's a deluge of derogatory comments about how shitty IE is. Yet, when the firefox guys do the same thing, it is presented as a highlight of how great open source is...

Don't get me wrong, firefox has tons of great ideas in it, and obviously far less exploits for now (but for how long, and what kind of damage can skilled programmers do if they have access to a source code?). I find the whole situation rather ironic... It's a competition of marketing spewer, from both sides of the fence...

Now, I am just wondering how much of this "don't use version X" is a way of getting more downloads out of firefox to enforce the "firefox is taking over" propaganda...


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group