StarDestroyer.Net BBS

www.shmoo.com/idn

Who'd have thought it a hack that doesn't affect microsoft stuff.

Plekhanov wrote: Who'd have thought it a hack that doesn't affect microsoft stuff.

There's a reasonable amount, they just tend not to get publicised as much.

Ironically, this is precisely because IE has been so badly neglected. Since it doesn't support some of the newer encoding standards, and this hack relies on abuse of one of those newer encoding standards, it doesn't work on IE. It's a bit like saying that a cell-phone hack doesn't work on a land-line.

The fix for Firefox and other Mozilla-based browsers is trivially easy.

Simply go to about:config, and look for network.enableIDN. Set its value to false.

That's it. No more spoofing via IDN.

Crayz9000 wrote:The fix for Firefox and other Mozilla-based browsers is trivially easy.

Simply go to about:config, and look for network.enableIDN. Set its value to false.

That's it. No more spoofing via IDN.

for us idiots... how do you do that.. exactly...?

Zac Naloen wrote:

Crayz9000 wrote:The fix for Firefox and other Mozilla-based browsers is trivially easy.

Simply go to about:config, and look for network.enableIDN. Set its value to false.

That's it. No more spoofing via IDN.

for us idiots... how do you do that.. exactly...?

:D

Exactly what he said. Type "about:config" in the URL bar, scroll down until you find network.enableIDN and set it to false.

Thanx for the tip Crayz9000

Zac Naloen here is a screenshot for you.

And with that an exploit is PWN3D in the face. Goodbye Internet Explorer, you crazy insecure bitch.

(edit: I just recently upgraded to Mozillafox, as I'm calling it)

I have both Netscape and Firefox on OSX, and they're remarkably similar. However, I don't know if Netscape has the same IDN problems as Firefox.

Lucifer wrote:I have both Netscape and Firefox on OSX, and they're remarkably similar. However, I don't know if Netscape has the same IDN problems as Firefox.

It's a Mozilla-based browser, so probably yes.

about:config should work if it's Netscape 7, and won't work if it's Netscape 6. Besides, if it's NS6 you should upgrade it due to an older security bug.

Wow... that was easy. Took me only 30 sec.

Thanks!

Woah. That took me, like 10 seconds to toggle IDN to false.

FIREFOX FUCKING RULES!!!

Are you sure that that solution works?

I set the setting to false, rebooted, cleared the caches, checked that the setting was still false, and the "fake" link still works.

Either:
A) I'm misunderstanding the problem and/or solution
or
B) There may be people here who think they're protected but aren't.

This site gives a "permanent" solution, but I haven't tried it yet.

... that's quite bizarre. When I first tried it, it prevented the IDN spoofed domain from working. Now (he did modify the link however) it does work.

Following what the guy said in the link you posted, I can see why. It's irritating that changes in about:config don't hold over. Anyway, I have tested the fix that he proposed and I can confirm it does work. But for most people, using the AdBlock extension fix that he gave would probably be easier.

I have another update to add.

If you use vanilla Mozilla, then you can get the MultiZilla extension. Get the latest stable nightly, which is 1.8.x.x. Multizilla now features a "secret" hashing feature for SSL sites that will warn you of a spoofed IDN domain (I tested it -- the regular link still worked as before, but the more dangerous SSL link was noticed by Multizilla...

So if you use vanilla Mozilla, I would use Multizilla until the next version of Mozilla is released sans IDN support.

I don't know if it's cause I'm using the debian build of FF but it was set to false by default.

Test the spoof page again and see if it works. Remember that as above, the network.enableIDN solution doesn't seem to be working properly... I don't know if it's the case for the Debian build.