New security vulnerability in all browsers, except IE

Here's a little test some guys put together:

http://www.shmoo.com/idn/

If you click one of the links on this page, you will get a URL in your browser that says www.paypal.com, but it will be their site. You have to hit it with any browser but IE to see the effect.

J.D.

 

this could get really gay really fast. Let's hope Mozilla patches soon.

 

That's really scary, luckily I haven't come across a site that used this technique yet but I hope it will be fixed immediately otherwise IE might actually have an advantage (for once)!

 

I read this on boinboing this morning. I am actually one of the only people around that uses IE and will stick behind it. Glad to see my browser of choice is getting good publicity for once.

 

One time out of about one million, I don't think those are very good stats

 

btw, that's really no different than the spoofing one can do by putting the @ in a url to spoof IE.

 

Not true. The '@' character is used to separate user name/password from the domain name in the server portion of the URL. This particular problem is caused by the fact the the first 'a' character in www.paypal.com is actually an 'a' from the Cyrillic alphabet, which looks exactly the same as the one in the Latin alphabet.

BTW, IE doesn't fall for this vulnerability not because MS engineers did a nice job, but because MS doesn't follow standards. IE is URL-encoding the domain name and trying to look up www.p%3Fypal.com instead of the actual domain, which in encoded form is www.xn--pypal-4ve.com (you can see this domain if you examine the certificate).

There's a way to disable international domains in FF. Type about:config in the URL box and scroll down to network.enableIDN. Double-click to disable.

J.D.

 

Imagine that... how long you think it will take M$ to patch IE now to break it?

 

Thanks J.D.

 

The Firefox/Mozilla teams will have it patched within a week...if it's patchable. As far as I know Paypal doesn't run it's website without SSL (https ://). If it ain't secured, it ain't Paypal.

 

Click on this (https://www.pаypal.com/) and look at the bottom right corner where the padlock is. The only way you can see that something's going on is if you look at the certificate, which most people don't do.

Browsers should display IDN's in different color and should show the domain from the certificate along with its decoded counterpart, if they are different.

J.D.