| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: listener at wernig.net (Markus Wernig)
Subject: state of homograph attacks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter Besenbruch wrote:
| Markus Wernig wrote:
|
|> Yes, it does set network.enableIDN = false, but on startup this seems to
|> get ignored. What I had to do to disable it (probably a brute hack):
|> there's a line in ~/.mozilla/firefox/whatever.default/compreg.dat that
|> reads along the lines of
|>
"{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so"
|>
|>
|> The head of the file says "don't edit", but after deleting the above
|> line, firefox wasn't able to resolve the punycode url anymore after a
|> restart.
|
|
| Unfortunately, Firefox 1.0 for Linux still displays punycode after
| deleting the line. They demo on http://www.shmoo.com/idn/ still works.
|
Well, I do run FF 1.0 on linux here (1.0-r3 on gentoo, but I do realize
that it's a source install, self-compiled), and even after re-enabling
network.enableIDN in about:config, it _does_ display the unicode
character (cyrillic "a") on the page, but does _NOT_ load the URL when
clicking on any of the links.
Funny detail: when hovering over the link, the status bar displays the
paypal "lookalike", as soon as I click on it, it changes to
"p%D0%B0ypal.com" - but that's probably more for a FF bugtracking list ...
lg /m
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQFCCAU58BX/d8pVi/cRAgzkAKDHVUxe2XQ4wnmyUVmtAaBQOFYbrwCcCza0
LQDHJMcvG1C4LsLUSjRssBE=
=BYKL
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists