Major Firefox Security Vulnerability

There’s a nasty phishing exploit that was made public yesterday that lets anyone fake any domain including SSL certificates. The problem comes out of international domain name support and the fact that the English letter a and the Cyrillic letter а look almost identical. It affects pretty much every web browser except IE and Lynx, which don’t support international domain names yet. (If you installed the IE plugin for IDN support, you’re still vulnerable.)

The phishing attack is really simple. Domain names can now include non-Latin characters, which are mapped back into a “common name” so it’s backwards-compatable. So, for example, the Latvian domain name in http://tūdaliņ.lv translates into the common name http://xn--tdali-d8a8w.lv/. So all you have to do is register something like the domain www.xn--pypal-4ve.com and then send people to the innocuous-looking www.pаypal.com. (Course, if you’ve already fixed your browser you won’t be able to follow the link anymore….) If you look carefully or if your browser isn’t displaying this page as Unicode you can see the letter а is in a different font (in fact, it’s a Cyrillic “a”).

Temporary fix for Firefox:

  1. Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the config page.
  2. Scroll down to the line beginning network.enableIDN — this is International Domain Name support, and it is causing the problem here. We want to turn this off — for now. Ideally we want to support international domain names, but not with this problem.
  3. Double-click the network.enableIDN label, and Firefox should change it to false. (If you get a dialog box, just change it to false yourself.)

You can check to see if you’re vulnerable by going to the website http://www.shmoo.com/idn/

Update: It turns out the fix I listed does not work in at least some versions of Firefox (sigh). The user preference gets set all right, but for some reason Firefox ignores it. Tech.Life.Blogged has posted both a somewhat kludgy workaround that at least disables IDN support until you install a new plug-in, and a nicer fix that just involves installing the AdBlocker extension and configuring it to block URLs that contain characters outside of the normal ASCII.

Longer term we really need a preference that paints the address-bar or otherwise warns us when a domain contains characters from more than one language set — that’d solve both the problem of pаypal and the equivalant domain that’s all Cyrillic except for the Latin character a.

Update 2/15/05: Sounds like one of the original authors of IDN, Paul Hoffman, has proposed something that goes one better than what I was proposing: highlight characters from different languages in different colors. That way it’s not a “warning” (and constant false alarm for languages that routinely mix character-sets) but still stands out if you weren’t expecting it. (Thanks to Boing Boing for the link.)

Update 2/26/05: Firefox 1.01 has been released with a fix — now punycode appears on the URL line as the encoded www.xn--pypal-4ve.com (it can be changed back to the old display in the configuration). While not as pretty as Hofflan’s solution, it’ll work. Note also that Shmoo has stopped hosting https://www.pаypal.com, though they still have a test link up at http://www.shmoo.com/idn/.