[Wolves] Security problem in firefox, what was it?

Simon Burke simon.burke at gmail.com
Wed Feb 9 14:50:44 GMT 2005 

See below

On Wed, 9 Feb 2005 14:47:27 +0000, Kevanf1 <kevanf1 at gmail.com> wrote:
> Could somebody refresh my memory, please?  There was a post the other
> day detailing a security problem that hit Firefox but, rather
> perversely, did not hit Internet Explorer as long as it hadn't been
> updated.  But I must have deleted the post and I have been asked about
> it.  DOH!!!!
> --
> Take care.
> Kevan Farmer
> 
> 34 Hill Street
> Cheslyn Hay
> Staffordshire
> WS6 7HR
> 

Punycode domains could wreak havoc in security world.

Posted by Duane from CAcert at
http://www.cacert.org/news.php?from=rss&id=13
Finally someone has shown what everyone feared, that punycode can
cause big problems with security where you can think you are going to
the real site (in this case paypal.com) but in reality you are going
to a fake site that has created it's domain to look like another. This
is a valid concern in all browsers except Internet Explorer, and only
because Microsoft had failed to implement any new major features in
their browser of late. Verisign can come to the rescue and provide you
with a punycode plug-in for MS IE that's also able to take advantage
of the problem. It's possibly the only time Microsoft's lax attitude
to giving people what they ask for will save us from more wide spread
abuse of this. See
http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html> for
more details about this problem.

In short punycode is a way of encoding mutliple language characters in
domain names without causing major changes in the way that domains
work to accommodate this directly...

eg... a domain that looks like paypal.com (using cyrilic characters
for one of the a's) is

www.xn--pypal-4ve.com

which you can then put a link on your website as...

www.p&amp;#1072;ypal.com

and it will all just work, except that it's not really paypal's
website, it's the browser converting unicode characters into printable
form to make it seem like it's paypal...

****

"I'm looking for that Francis Bacon, in-the-face, whoops factor in the
sound.  And I get it sometimes." - Scott Walker
~  www.milboro.com - www.snurl.com/allbran


-- 
Theres no place like ::1

Thanks,
SimonB

http://simon.geek-web.co.uk

More information about the Wolves mailing list