| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 10 Feb 2005 08:40:27 +0100 From: Marcin Sochacki <wanted@....univ.gda.pl> To: bugtraq@...urityfocus.com Subject: Re: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs. On Wed, Feb 09, 2005 at 01:04:53PM -0000, Randal, Phil wrote: > I've verified that the flaw exists on Windows XP SP2 fully patched IE 6 > with Verisign's plugin from http://www.idnnow.com/index.jsp. I think it's incorrect to blame browsers for this bug. It's a flaw in the design of IDN, which was obvious from the very beginning. In Unicode set there are many characters which look very similar, not only hex 0430; dec 1072, CYRILLIC SMALL LETTER A which was used in fake "paypal" example. The "fixes" proposed so far rely on switching off the IDN support in browsers, which only confirms, that it's not a bug, it's a feature. What are IDN-enabled browsers supposed to do, anyway? Should they display a special warning in case a user enters an IDN domain name? Or a different "padlock" icon in case of SSL? People, who legally bought those names would be then treated unfairly. I think it's up to the browsers' authors to invent some nonobtrusive way to notify the user, that he/she entered an IDN-enabled site (like a small icon in the address or status bar; maybe an additional address bar, which would show the real punycode URL; etc.), but let's not forget that IDN was invented that way. Marcin
Powered by blists - more mailing lists