Spoofing advisory on domain "simulation"

[aww]

This could become very serious for novices,
apparently international domains (IDN) can be
used to fool initial visual inspection:
demonstration: (I have no association with this site)
http://www.shmoo.com/idn/
Look very carefully at the first "a" in paypal in that demonstration.

In theory this can be blocked at least in Firefox by turning off international domain support (IDN) as a temporary workaround:

type about:config in your address bar
search for network.enableIDN
click on it to set it to FALSE
IDN support should then be disabled

 

[mole]

In theory this can be blocked at least in Firefox by turning off international domain support (IDN) as a temporary workaround:

Do you know if IE does the same, I looked into my Advanced Options and don't see anything there on IDN.

 

[daughterofeve]

the site says it works in everything BUT IE... so, lol.. i can't see it XD

 

[mole]

the site says it works in everything BUT IE... so, lol.. i can't see it XD

Well, at least there is one thing Microsoft did right. :gl:

 

[zaros64]

lol just get firefox...I wouldn't wanna block international domains

 

[daughterofeve]

lol just get firefox...I wouldn't wanna block international domains

lol, I think you got that a little backwards...

 

[mole]

lol just get firefox...I wouldn't wanna block international domains

What so hot about firefox? ... pardon the pun

 

[Brian]

lol just get firefox...I wouldn't wanna block international domains

in firefox support is on by default for these domains, that is what COULD cause the problem. For these sites to work in IE you have to download a plugin for them to work.

This is one thing that IE might actually be better than firefox in. but at least you can turn off support for them in Firefox.

Regards
Brian

 

[AdoptableDomains]

What so hot about firefox? ... pardon the pun

I use both, because there are still some bugs and sites that won't work well in Firefox. However, the tabbed browsing is my favorite feature. For forum reading, I can open each thread in a new browser tab instead of separate IE windows. Much, much easier....

 

[Anthony]

Well, at least there is one thing Microsoft did right. :gl:

Wait -- what MS did right is not offer support for international characters in URLs? That must be how the company does something 'right'. Yikes!

 

[FusionX]

Yeah ... we (read Microsoft) are better because we are technologically backward than the competition.

Funny...

 

[mole]

Wait -- what MS did right is not offer support for international characters in URLs? That must be how the company does something 'right'. Yikes!

Yes, because Microsoft also does email clients and server software, Internet server software... blah, blah. These decisions are not taken lightly.

A renegarde like FireFox can just come in and do their own thing and smoke weed without a care for the real world.

Microsoft needs to be a lot more responsible than that. Over 90% of the business world depends on them to ensure seamless compatibility.

 

[zaros64]

If I turned international domains off..I live in nz so would I be able to get .co.nz domains?

 

[mole]

If I turned international domains off..I live in nz so would I be able to get .co.nz domains?

No, all the ccTLDs will stop functioning, including .US

 

[www.AmCy.org]

I use both, because there are still some bugs and sites that won't work well in Firefox. However, the tabbed browsing is my favorite feature. For forum reading, I can open each thread in a new browser tab instead of separate IE windows. Much, much easier....

I don't use Firefox but that is a great feature; I enjoy using it in Opera.

AmCy

 

[Werpon]

Microsoft needs to be a lot more responsible than that. Over 90% of the business world depends on them to ensure seamless compatibility.

You mean 90% of the home users; but seamless compatibility is guaranteed by international standards that, by the way, Microsoft manages to get always backwards.

 

[Anthony]

No, all the ccTLDs will stop functioning, including .US

That is incorrect. We are talking about turning off support for IDNs, which are domain names with international characters, like letters with hyphens in the URL -- NOT ccTLDs like .co.nz, .co.uk, or .ws!

 

[Bramiozo]

Firefox to Disable IDN Support as Phishing Defense

The Mozilla development team said today that it will disable a browser feature that allows URL spoofing and could leave users open to scams. Upcoming releases of the Firefox and Mozilla browsers will turn off support for Internationalized Domain Names (IDN) by default to protect users from the spoofing, which works in current versions of Firefox, Mozilla, Opera and the Safari browser for Macs. The affected browsers support IDN, while Microsoft's Internet Explorer does not.

The spoof exploits flaws in how the browsers interpret Unicode, a broad character set used in IDN that allows URLs to include non-English characters. Unicode can be used to craft "homographic" attacks, in which two different combinations of characters in an HTML link can display the same URL in the browser, but send users to different sites. URL spoofing exploits are useful to Internet phishing scams, making it easier to trick victims into sharing sensitive information with bogus web sites constructed by fraudsters.

The spoofing flaw was demonstrated by the Shmoo Group, which used a Unicode link to display www.paypal.com in the address bar of affected browsers, but send users to www.xn--pypal-4ve.com - which then displays "www.paypal.com" in its address bar. A similar spoof works on SSL-enabled URLs (https) commonly used on banking and e-commerce sites.

The attack can be disabled in Firefox and Mozilla by setting 'network.enableIDN' to false in the browser's configuration (enter about:config in the address bar to access the configuration functions). The Mozilla development team today made this the default setting. Users who want IDN support will be able to turn it on, but will be warned about the risks involved.

"This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1," the Mozilla Foundation said in its advisory. "For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names."

The Mozilla team said that domain registrars are ignoring ICANN guidelines on IDN, and have developed a list of problematic Unicode characters that could be banned in domain names to limit homographic attacks.

Posted by richm at February 15, 2005 02:24 PM | Subscribe


http://news.netcraft.com/archives/2005/02/15/firefox_to_disable_idn_support_as_phishing_defense.html

 

[mole]

That is incorrect.

:blink:

 

[Nexus]

I think this is horrible. IE is dragging heal for Longhorn, and its lack of support of IDN's is definitely NOT something they "did right", which is how the Netcraft story pitched it. The correct implementation of IDN's is the ONLY "crime" the rest of the browsers are guilty of. Moreover, Verisign STILL shows a plugin for making IDN work on IE too, though I'm not sure if the IE plugin implementation bares the same problems as the native implementations of IDN on other browsers.

With Firefox disabling IDN by default, I think this is a knife in the back of IDN support. The idea that nothing can address the problem quickly safe TURNING IT OFF, seems to imply something highly problematic with the standard. Sad. Baby out with the bathwater.

I just posted another issue with .BIZ e-mail users being tarred in order to solve a vBulletin spammer issue that is JUST starting to hit the radar.
http://www.namepros.com/showthread.php?t=71566

I don't like how issues like this make benign standards and technologies suddenly take on the sinister traits of the person(s) exploiting them.

~ Nexus