mailing list archives
Re: state of homograph attacks
From: Markus Wernig <listener () wernig net>
Date: Tue, 08 Feb 2005 01:18:01 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Peter Besenbruch wrote:
| Markus Wernig wrote:
|> Yes, it does set network.enableIDN = false, but on startup this seems to
|> get ignored. What I had to do to disable it (probably a brute hack):
|> there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that
|> reads along the lines of
|> The head of the file says "don't edit", but after deleting the above
|> line, firefox wasn't able to resolve the punycode url anymore after a
| Unfortunately, Firefox 1.0 for Linux still displays punycode after
| deleting the line. They demo on http://www.shmoo.com/idn/ still works.
Well, I do run FF 1.0 on linux here (1.0-r3 on gentoo, but I do realize
that it's a source install, self-compiled), and even after re-enabling
network.enableIDN in about:config, it _does_ display the unicode
character (cyrillic "a") on the page, but does _NOT_ load the URL when
clicking on any of the links.
Funny detail: when hovering over the link, the status bar displays the
paypal "lookalike", as soon as I click on it, it changes to
"p%D0%B0ypal.com" - but that's probably more for a FF bugtracking list ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.