Dynaverse.net

Off Topic => Engineering => Topic started by: toasty0 on February 07, 2005, 06:02:39 pm

Title: Security Alert for alternative browser users
Post by: toasty0 on February 07, 2005, 06:02:39 pm

ALERT ALERT ALERT

New phishing scam launched against non IE browsers. Find out more about your browser at the following links:

Opera (http://secunia.com/advisories/14154/)
Mozilla and Firefox (http://secunia.com/advisories/14163/)
Netscape (http://secunia.com/advisories/14165/)

This alert is listed as moderate critical.

Jerry

Title: Re: Security Alert for alternative browser users
Post by: FRA.E.Kehakoul_XC on February 07, 2005, 06:08:55 pm

As far as i can tell Opera 6.05 is not affected.

Title: Re: Security Alert for alternative browser users
Post by: Nemesis on February 07, 2005, 06:23:58 pm

Keep in mind that this is a problem with a standard that these browsers properly adhere to.  The reason Microsoft is not hit by it is that they either do not implement the standard or do so in a proprietary way.  The standard appears to need some work. 

Quote

Workaround: Mozilla based browsers only:
Enter the following url: about:config
Scroll down to network.enableIDN
If the value column is True then right click on it and choose the toggle option this will change the value to False which disables that feature and protects you from the attack

Quote

VI.   Vendor Responses

Verisign: No response yet.

Apple:  No response yet.

Opera:  They believe they have correctly implemented IDN, and will not be making any changes.

Mozilla:  Working on finding a good long-term solution; provided clear workaround for disabling IDN.

Title: Re: Security Alert for alternative browser users
Post by: toasty0 on February 07, 2005, 11:51:54 pm

Quote from: IKV Nemesis on February 07, 2005, 06:23:58 pm

Keep in mind that this is a problem with a standard that these browsers properly adhere to.

Good to see at least one of the developers stayed awake and recognised a bad standard when they saw one. As Forest used to say, "Sheep is as sheep do-do." or something like that.

Heheheh

Title: Re: Security Alert for alternative browser users
Post by: Monty on February 08, 2005, 04:14:16 am

Does disabling IDN have any undesirable side effects?

Good find on the security alert.

Title: Re: Security Alert for alternative browser users
Post by: Nemesis on February 08, 2005, 07:40:15 pm

Quote from: Monty on February 08, 2005, 04:14:16 am

Does disabling IDN have any undesirable side effects?

Good find on the security alert.

You won't be able to handle urls that use characters not used in English.  Many east European languages or oriental languages for example.

Quote from: toasty0 on February 07, 2005, 11:51:54 pm

Good to see at least one of the developers stayed awake and recognised a bad standard when they saw one. As Forest used to say, "Sheep is as sheep do-do." or something like that.

The standard is basically good.  Unless of course you think that you shouldn't be allowed to access websites in countries that use other languages. 

The problem is more in the implementation at the domain name registrar level.  Each top level domain or nation should only use one character set.  That way if you saw "www. microsoft. com" or "www. microsoft. us" you would know it was the English version.  If you saw something like "www. microsoft. ru " or "www. microsoft.to" you would have reason to be suspicious.  With the current system one could spoof "www .microsoft. com" by using alternate character sets for the "i" or "o" for example.   Similar things have been done in the past using "1" or "0" to replace the "I" or "O". 

Of course you can make yourself more secure by following the advice given by toasty's link

Quote

Solution:
Don't follow links from untrusted sources.