Re: Multiple Browsers IDN Spoofing Test

From: Christian Persch <chpe gnome org>
To: frodrigues ig com br
Cc: epiphany-list gnome org
Subject: Re: Multiple Browsers IDN Spoofing Test
Date: Wed, 09 Feb 2005 01:05:02 +0100

Hi,

On mar, 2005-02-08 at 12:35 -0200, Fabiano Rodrigues wrote:
>Eric Johanson has reported a security issue in multiple browsers, which
>can be exploited by a malicious web site to spoof the URL displayed in
>the address bar, SSL certificate, and status bar.
>
>http://secunia.com/multiple_browsers_idn_spoofing_test/

Thanks for the notice. Actually, the spoofing potential of homographs
has been known for years, so this isn't a new attack.

Epiphany gets the location in the location bar and statusbar from the
embedded mozilla rendering engine. Any fix that mozilla comes up with --
see https://bugzilla.mozilla.org/show_bug.cgi?id=279099 -- will be
inherited by Epiphany automatically. So there is no action from us
required.

As a workaround, you could set network.enableIDN to 'false' in
about:config; but that's currently not working in released mozilla
versions because of a bug
[https://bugzilla.mozilla.org/show_bug.cgi?id=261934].

Regards,
	Christian

Follow-Ups:
- Re: Multiple Browsers IDN Spoofing Test
  - From: Matthew Thomas

References:
- Multiple Browsers IDN Spoofing Test
  - From: Fabiano Rodrigues

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]