First serious FIREFOX!! SECURITY BREACH IS HERE
 

IE is not affected by this. I guess this comes with the popularity after all.

I haven't seen this posted here yet.

Firefox can be easily exposed to sophisticated phishing attacks:

Visit http://www.shmoo.com/idn/ and see. PayPal's address appears not only in the status bar, but also after you click it. The HTTPS version of it is even scarier.

Fix:

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

4) Go check out the shmoo demo again and notice it no longer works.

Read more about this in http://www.boingboing.net/ (look up Shmoo Group exploit: 0wn any domain, no defense exists).

:thumbsup

Thanks for the heads up :thumbsup

Seems like you also need to clear the browser cache after applying the fix to actually see if it works.

mhahahaha!!! NICE!! :Graucho :Graucho

Damn, so much for the uber firefox browser =/
Hopefully the users will be smart enough to realise something is up.

:1orglaugh It was only a matter of time. The funny thing is that for the most part IE is not affected (those IE users who installed the i-Nav plug-in (http://www.idnnow.com/ - Internationalized Domain Names) are also vulnerable.

It's not that easy. The address bar shows the correct address. For SSL connections it even highlights it just like it does with any https address. Crazy shit.

http://www.shmoo.com/idn/homograph.txt

well nothing is perfect .. great find.

If you were a hacker, would you bother writing spyware for a browser that is used by a few hundred people in the world?
Most likely, no.
But now that Firefox is gaining popularity and has broken the few millions users mark, hackers will start writing spyware for Firefox. :2 cents:

keep using Firefox, guys
I'll stick to K-Meleon, been using it for years, it's about 100 times better than Firefox!

Another error i found is that if you encript the urls it wont work in FireFox. If you mouse over the url below it looks fine. But click it, it wont work. It will only work in IE.


Link

And now they have the entire code available to help them :1orglaugh

this isnt new ? theres been a few of these for firefox..

VII. Timeline

2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005

I guess some extension that fixes it will be available by one of the coders in a day or two.

It still surprises me that people go through links sent to them via email or otherwise when all they have to do is type in the url and go that way...

good information though for those that don't do type ins when they need to verify or change information

I set up a private home portal for my gf. LOL. It has all the links she needs on a daily basis. She knows this is the only trusted page on the net :1orglaugh

Thanks for the info.

Good info, thx for the heads up...

Thanks for the info mate! :)

There are exploits in IE because it's the most commonly used browser. The more popular Firefox gets, the more problems it will have.

However, I really think IE will be the standard for some time to come. It's pre-installed on the most popular OS (windows) and people who don't know better will continue to use it.

Whoopdy doo
When you load the page you can see the BS domain . If you get the plugin for firefox anyway it shows the true domain right up top. Also if you check the cert it shows all bs too.. I guess if your that stupid..

yo son i been done known this exploit back in 88 yo

muddafukkasheeettt

very helpful tips ! :thumbsup rock on!

wow, thanks man

your sig is big

See, it's not that Microsoft are somehow slack when it comes to patching their shit it up, it's that they're the main focus because they have the browser market by it's balls. Now firefox is getting to a point where even though it's share is tiny compared to that of microsoft, it's becoming substantial and an exploit would be worthwhile to hackers. So expect firefox holes to be found more often with it's increasing popularity.

thanks for the heads up but there are always work arounds for any software no big deal

Yes, for most folks using an english version OS / web browser, typing in a domain may be sufficient security...

However, in the world of IDNs, things do not work as one would always expect ...

For some folks using *non-english* software, typing in a domain is NO guarantee ... IDNs are not exact and thus there is much latitude in how software maps them to domains.

In a nutshell, there is no guarantee that folks typing a domain name in a non-english based OS / web browser - some will get the website they expect, some won't ... such "best guess" behavior is totally contrary to structure of the DNS system; ICANN was warned repeatedly about these threats and yet has allowed IDNs to go ahead anyways ...

Here's an example of something really spooky ...

Click to this thread below and see if you can spot the real amazon.com?

http://www.dnforum.com/showthread.php?t=81129

Ron

thanks for the heads up!

You have to register for that link.

Opps ... here's a link to the same thread in their archives.

http://www.dnforum.com/archive/index.php/t-81129

Copy and paste (links in their archive aren't clickable) the first amazon.com link and try it, then copy and paste the second amazon.com link - they look exactly the same, but they are not and actually go to two different places!

Ron

Bump for the day crew ...

The extremely flawed *implementation* of International Domain Names (IDNs) is an issue more folks need to be made aware of - if enough people bitch about this problem, ICANN / VeriSign (.com registry operator) will likely make some meaningful changes before the IDN spoofing problem gets totally out of control.

Ron

FYI, a patch is now available for FireFox.

That didn't take too long now did it :)

The patch does NOT solve the bad implementation of IDNs ...

From my understanding, all the Firefox patch does is fix config revert problem - that is Firefox would not save whether IDN support was enabled/disabled across browser sessions.

A better fix would be for Firefox to disable IDN support by default, but not sure the bug fix does that.

To reiterate again, the Firefox patch does NOT solve the bad implementation of IDNs ... only ICANN can fix that...

Or alternatively, all software that relies on domain names needs to NOT support IDNs; filtering out of all punycode "xn--" domains by networks, software, etc.

Ron