Bits and Pieces
.::.


Monday, February 14, 2005  

Attn: Firefox users

If you havent heard of the Spoofing vulnerability issue (Homograph Attacks) of Firefox, here's some info1. The issue is related to IDN (Internationalized Domain Name). I do not have enough knowledge to explain this better, but in simple terms this is how it goes. Two strings may 'look' the same but in essence may be different. Possible, by using different unicode characters that creates visually similar symbols (ASCII). Modern browsers that are IDN-enabled2 are prone to Homograph Attacks, whereby a spoof site3 could be created of an established business. So unaware users could be guided to a fake-site that could syphon out all critical information4.

To check if your Firefox build is secure, try this:
Visit http://www.shmoo.com/idn/
a) By clicking one of the two urls under "IDN Spoofed URL", if you get "The Fake TSG" message, you are not secure [details abt a soln that I tried, in comments section].

Update 1: Mozilla Foundation's Official Response. Current solution is to turn-off IDN.

Update 2: One of the authors of IDN has better solutions to this problem. Here.

Interesting fact: This bug was fixed within a day of reporting! Check bug-report page.

1 Gathered from a detailed thread on Metafilter
2 List of affected browsers. IE is not IDN-enabled, so IE users are safe
3 That could've been registered using symbols resembling a genuine site's
4 'phishing'

posted by pradeep | Permalink | (6)

6 Comments:

I tried the following solution and later when I tried to log into Gmail, I couldnt (am not sure if they are related).

[To use or not is left to your discretion...be warned of problems that may arise thereof]:

a) Download and install the latest firefox build:
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-aviary1.0.1/b) start Mozilla

c) enter configuration page (type about:config in the address bar), search for network.enableIDN and toggle the value to set it to "False".

d) restart Mozilla

e) visit http://www.shmoo.com/idn/ again, try the links. Should get appropriate Firefox-"site could not be found"-mesg.

By Blogger pradeep, at 9:41 PM 

Reverted back to version 1.0 and was able to log into gmail. [turned off IDN]

By Blogger pradeep, at 10:15 PM 

This looks really scary...it took a while for me to understand what goes on... as both the link went to same page, but showed diff contents..
Then when i opened in IE, i knew that they werent same..

Oh ... Hackers...give us a break

By Blogger JaganLee, at 10:49 PM 

Scary possibilities, yes.

Solution is to type the URL of sensitive sites and not click links.

By Blogger pradeep, at 8:37 AM 

fixed in no time - thats the beauty of open source.

Hackers will never rest, creators need to be unified to tackle the problem.

By Blogger saranyan, at 10:27 AM 

Man
I gotta update this in 4 machines. 2 work lab machines, 1 work desktop machine and then my home laptop.
Will try your path and see how it goes.

rp

By Blogger The Last Blogger, at 1:53 PM 

Post a Comment

Ad
Lens view
comrades
tempe neighbourhood
highlights
archives
yours truly
sweet spots
knock! knock!
Virus Alert!
If a pixel were to see and interpret things as I do, and should it express, with a dose of my thoughts and afterthoughts; the flavor of such a talk should be close to one that you find on this page. And yes, cricket being my favorite sport, dont be surprised to find one too many related terms. Pad up is one such!

Get Firefox!