Pssst...Subscribe to Our Free Newsletter  
 

THE LATEST NEWS
Monday, February 07, 2005

Moz Hosed Again!
You say you like FireFox for all its features? You say you like FireFox because it doesn't have all the coding errors you'll find in IE? Is that what you say, bunky? How about this one then: An Internet browser feature meant to permit Web addresses in Chinese, Arabic and other languages could encourage online fraudsters by making scam Web sites look legitimate to visitors. For once, the affected browser is not the industry-leading Internet Explorer from Microsoft Corp. but rather several of its more robust competitors. That's because the aging IE lacks support for internationalized domain names — at least without a plug-in, which would then make IE vulnerable. A fix won't be easy because the vulnerability, publicized at a weekend hacker conference, that enables so-called "phishing" scams involves a feature, not a coding error.

Thank you, Unicode! The mousetrap theory strikes again...
 # Permalink   Posted at 7:06 PM        11 comments      Email this Link

Comments on this Item:
 
It was bound to happen. Its just kind of ironic that IE's lack of features turned out to becomes its saving grace. Id still feel safer with firefox though. Besides, tabs rock.

# posted by Anonymous 7:51 PM

 
Type about:config in the address bar to access the configuration settings.

change 'network.enableIDN' to false (double click on theat line)
this disables the feature that allows the exploit.

I found a sample page, and information about it at http://www.shmoo.com/idn/ as well as the method of stopping it for mozilla based browsers.

The results of the change is that a faked address will not be found.
Try the sample on the page above before, and after making the change.

# posted by Anonymous 9:53 PM

 
It's also fairly rare that you can fix a bug in IE by just changing a setting that doesn't have a major effect on the rest of the way you browse the web. Props to the response above.

# posted by David 10:49 PM

 
A more permanent fix is to edit the compreg.dat file in your firefox profile. Open that file with a text editor and do a search for idn. Delete both lines that reference it, then save the file.

I found the about:config tweak didn't work reliably but this disables idn functionality altogether.

# posted by Anonymous 2:44 AM

 
The problem with disabling IDN altogether is that, well, it disables internationalized domain names altogether. For an American who doesn't know what a "ß" is called, much less want to enter domain names with it, that's fine. For a German who thinks the city they live in is called München, blast it, and not Muenchen, and wants to go to www.münchen.de, it's not so nice. The correct fix is probably for registrars to not allow registrations by different entities when one is a compatability decompisition of the other... which still only solves part of the problem, as U+430, the CRYLLIC SMALL LETTER A, is not an odd form of a, but rather a different letter in it's own right.

The basic problem is that it's very difficult to say "this looks too much like paypal.com, it must be somebody trying to defraud people" without having a human looking at every domain name, or at least every unicode character, with an eye toward fraud -- and in many cases with knowladge of the language. (To an American, two Han characters may look the same, whereas a Chinaman would say "they're completely different -- that's a dot on the one on the left, and a short stroke on the one on the right!") Oh, by the way, there are more then 6,500 characters defined.

# posted by Anonymous 7:09 AM

 
"My name's Olo, Hans Olo." Yup, that's the problem with exploiting features.

# posted by Bill 7:25 AM

 
I don't know about anyone else, but in Firefox 1.0, disabling IDN didn't change anything for me. I can still follow the demo link to a page that says "meeow". No "host not found" errors like what IE gives.

I verified that I have changed the correct setting, and that it remained disabled after closing and re-opening the browser. I also cleared my cache before testing the demo link again.

# posted by Anonymous 9:29 AM

 
I tried it and it worked for me--I got the meeow before I made the change, but no meeow afterwards. Thanks for the tip.

# posted by Anonymous 10:04 AM

 
Oops, seems that setting had a bug where it would reset to true the next time Firefox was restarted.

http://forums.mozillazine.org/viewtopic.php?t=215221&sid=839546992ef66c2a92e202e2fe77c04e

The fix is to either edit a config file manually, or grab a nightly build of Firefox that fixed it.

# posted by Anonymous 7:56 PM

 
Let's not forget that the Moz browsers aren't the only ones effected by this: Opera and Safari and the rest of the Mozilla spin-offs.

# posted by Anonymous 8:18 AM

 
Here's a suggestion for the FF engineers to work around the problem: Add an option to change the background color of Unicode characters. It won't stop phishing attacks, but you can see at a glance if the similar-looking characters are not true ASCII. Make it appear in URL bar, status bar, and body text.

# posted by Anonymous 12:30 PM


 Post a Comment

 

  
 

The RealTechNews Official Collection of Interesting Technical Websites
(In Alphabetical Order)
RealTechNews.com -Hooray!

All About Technology
Apolemia
As the Apple Turns
Adam Bosthworth
Channel 9
Cincom Smalltalk Blog
CodeStore
CompHobby.org
CreativeBits
Cult of Mac
Daily Dose of Excel
Dan Bricklin's Log
Dan Gilmore
eHomeUpgrade
Engadget
Enterprise System Spectator
Fozbaca.org
Fullasagoog
Future Now
 Gadgeteer
Gadgetopia
 Gadgetryblog
Gemal's Psyched Blog
Geomblog
Gizmo
Gizmodo
 

 Good Morning Silicon Valley
Google Blog
Google Weblog
Hack a Day
Hack the Planet
Hackdiary
Impact Lab
Internet Alchemy
 I4U
IT Facts
Java.blogs
Joel on Software
 Jonathan's Blog
 Live Digitally
Lynch, Kevin
Matt Heerema
Mavromatic
Mehack
MobileMag
MobileWhack
Mobitopia
MSNsearch's WebLog
Napsterization.org
Onlineblog.com
PatrickWeb
Paul's Time Sink
Picturephoning.com
Player Blog
Ployer Technology News
 		 PVRblog
Release 4.0
RFID Privacy
Scripting News
Scriptygoddess
Search Engine Watch
Shiny Shiny
SiliconBeat
Six Apart
Slashdot
SpaceNews
Swaine's World
 Tech Digest
 Techdirt
Threadwatch.org
Tip of the Day
UberGizmo
Unofficial Google Weblog
Unofficial Yahoo Weblog
 Useit.com
Web-Graphics
What Ralph Knows
Wi-Fi Networking News
Wingedpig.com
Wohl, Amy
Wrist Dreams
Yahoo! Search Blog  		 

 
Don't See Your Favorite Tech Site Here? Contact Us to Add it Today!

 

(Please!!)
 
Subscribe with Bloglines

Hey Gang! Please sign our guestbook and say hello to the whole RealTech community: independent tech lovers like you. Take a sec to say hello. -- Sign it!

Headlines From Around the World
About RealTechNews 
Archives <--Don't Miss
Our RealTech Friends
Real Tech Reviews      Hot!
Please help us stay independent. Donate whatever you can today. (Even $1 will make a HUGE difference.)


 


Email the Editors

RealTechNews.com

Google
Search Our Website:
Web RealTechNews.com


Hosted by: Dreamhost
Underground Networks, Inc. Copyright 2005
All Rights Reserved

Place a Text Ad on RealTechNews

 
 
 
Sign up for PayPal and start accepting credit card payments instantly.