Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: state of homograph attacks
From: Peter Besenbruch <prb () lava net>
Date: Mon, 07 Feb 2005 12:21:59 -1000

Markus Wernig wrote:
Hash: SHA1

Valdis.Kletnieks () vt edu wrote:
| On Mon, 07 Feb 2005 11:06:18 PST, Richard Jacobsen said:
|>Open up firefox, put about:config into the address bar, and then change
|>network.enableIDN to false by double clicking on it.  If it is working
|>successfully, you should get a message "domainname.com could not be
|>when clicking on an IDN link. You shouldn't need to restart your browser.
| The actual bug referenced by Gerald is that if you use about:config to
set it,
| it *works* without having to restart, but at the next restart of the
| the setting no longer works...

Yes, it does set network.enableIDN = false, but on startup this seems to
get ignored. What I had to do to disable it (probably a brute hack):
there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that
reads along the lines of

The head of the file says "don't edit", but after deleting the above
line, firefox wasn't able to resolve the punycode url anymore after a

Unfortunately, Firefox 1.0 for Linux still displays punycode after deleting the line. They demo on http://www.shmoo.com/idn/ still works.

I should also point out that Konqueror 3.3.2 is also vulnerable, but the the SSL demo brings up a certification warning. To the clueless, such a warning might not do much, but to some, a bad certification on an SSL page is a red flag.

Perhaps we should all ask Microsoft to port Internet Explorer to Linux. That way we would all be safe.

Hawaiian Astronomical Society: http://www.hawastsoc.org
HAS Deepsky Atlas: http://www.hawastsoc.org/deepsky
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]