merge 293975 294439 thanks Please don't file duplicate bug reports.
* C. Scott Ananian ([EMAIL PROTECTED]) wrote: > Package: mozilla-firefox > Version: 1.0+dfsg.1-5 > Severity: grave > Justification: user security hole > > > "Homograph attack" allows an attacker to create a link, with SSL 'lock' and > everything which is indistinguishable from a trusted site. Advisory is here: > http://www.shmoo.com/idn/homograph.txt > Example page showing this attack for paypal.com is at: > http://www.shmoo.com/idn/ > and example for amazon.com is at: > http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3866526512 > This last is a real shame. > > There is a simple workaround for mozilla and firefox: > > You can disable IDN support in mozilla products by setting > > 'network.enableIDN' to false. Unfortunately this preference is broken right now, I'll be patching firefox tonight to fix it. > This should be done ASAP for debian packages to provide a 'secure by default' > experience. The advisory indicates that mozilla is "working on finding a > good long-term solution"; we should re-enable IDN only when that 'real' > solution appears. This fix may upset international users, but they can > locally re-enable IDN once they are advised of the vulnerability. For > english-speaking users disabling IDN is obviously the right thing to do. I'm really not sure. The phishing possibilities are a bit scary, but how widespread are these IDNs? Am I going to be making a lot of popular websites inaccessible? Just because someone is "english-speaking" doesn't mean they can't speak or want to surf pages of a different language. -- Eric Dorland <[EMAIL PROTECTED]> ICQ: #61138586, Jabber: [EMAIL PROTECTED] 1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6 -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+ O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+ G e h! r- y+ ------END GEEK CODE BLOCK------
signature.asc
Description: Digital signature
