{"id":276,"date":"2005-02-08T20:11:59","date_gmt":"2005-02-08T20:11:59","guid":{"rendered":"https:\/\/www.docbug.com\/blog\/archives\/276"},"modified":"2005-02-08T20:11:59","modified_gmt":"2005-02-08T20:11:59","slug":"major-firefox-security-vulnerability","status":"publish","type":"post","link":"https:\/\/www.docbug.com\/blog\/archives\/276","title":{"rendered":"Major Firefox Security Vulnerability"},"content":{"rendered":"

There’s a nasty phishing exploit that was made public yesterday that lets anyone fake any domain including SSL certificates<\/em>. The problem comes out of international domain name support and the fact that the English letter a<\/em> and the Cyrillic letter \u0430<\/em> look almost identical. It affects pretty much every web browser except IE and Lynx, which don’t support international domain names yet. (If you installed the IE plugin for IDN support, you’re still vulnerable.)<\/p>\n

The phishing attack is really simple<\/a>. Domain names can now include non-Latin characters<\/a>, which are mapped back into a “common name” so it’s backwards-compatable. So, for example, the Latvian domain name in http:\/\/t\u016bdali\u0146.lv<\/a> translates into the common name http:\/\/xn--tdali-d8a8w.lv\/<\/a>. So all you have to do is register something like the domain www.xn--pypal-4ve.com<\/em> and then send people to the innocuous-looking www.p\u0430ypal.com<\/a>. (Course, if you’ve already fixed your browser you won’t be able to follow the link anymore….) If you look carefully or if your browser isn’t displaying this page as Unicode you can see the letter \u0430<\/em> is in a different font (in fact, it’s a Cyrillic “a”).<\/p>\n

Temporary fix for Firefox:<\/p>\n

    \n
  1. Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the config page.<\/li>\n
  2. Scroll down to the line beginning network.enableIDN \u2014 this is International Domain Name support, and it is causing the problem here. We want to turn this off \u2014 for now. Ideally we want to support international domain names, but not with this problem.<\/li>\n
  3. Double-click the network.enableIDN label, and Firefox should change it to false. (If you get a dialog box, just change it to false<\/em> yourself.)<\/li>\n<\/ol>\n

    You can check to see if you’re vulnerable by going to the website http:\/\/www.shmoo.com\/idn\/<\/a><\/p>\n

    Update:<\/b> It turns out the fix I listed does not<\/em> work in at least some versions of Firefox (sigh). The user preference gets set all right, but for some reason Firefox ignores it. Tech.Life.Blogged has posted both a somewhat kludgy workaround<\/a> that at least disables IDN support until you install a new plug-in, and a nicer fix<\/a> that just involves installing the AdBlocker<\/a> extension and configuring it to block URLs that contain characters outside of the normal ASCII.<\/p>\n

    Longer term we really need a preference that paints the address-bar or otherwise warns us when a domain contains characters from more than one language set \u2014 that’d solve both the problem of p\u0430ypal<\/em> and the equivalant domain that’s all Cyrillic except for the Latin character a<\/em>.<\/p>\n

    Update 2\/15\/05:<\/b> Sounds like one of the original authors of IDN, Paul Hoffman, has proposed something<\/a> that goes one better than what I was proposing: highlight characters from different languages in different colors. That way it’s not a “warning” (and constant false alarm for languages that routinely mix character-sets) but still stands out if you weren’t expecting it. (Thanks to Boing Boing<\/a> for the link.)<\/p>\n

    Update 2\/26\/05:<\/b> Firefox 1.01<\/a> has been released with a fix \u2014 now punycode appears on the URL line as the encoded www.xn--pypal-4ve.com (it can be changed back to the old display in the configuration). While not as pretty as Hofflan’s solution, it’ll work. Note also that Shmoo has stopped hosting https:\/\/www.p\u0430ypal.com<\/a>, though they still have a test link up at http:\/\/www.shmoo.com\/idn\/<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"

    There’s a nasty phishing exploit that was made public yesterday that lets anyone fake any domain including SSL certificates<\/em>. The problem comes out of international domain name support and the fact that the English letter a<\/em> and the Cyrillic letter \u0430<\/em> look almost identical. It affects pretty much every web browser except IE and Lynx, which don’t support international domain names yet. (If you installed the IE plugin for IDN support, you’re still vulnerable.)<\/p>\n

    The phishing attack is really simple<\/a>. Domain names can now include non-Latin characters<\/a>, which are mapped back into a “common name” so it’s backwards-compatable. So, for example, the Latvian domain name in http:\/\/t\u016bdali\u0146.lv<\/a> translates into the common name http:\/\/xn--tdali-d8a8w.lv\/<\/a>. So all you have to do is register something like the domain www.xn--pypal-4ve.com<\/em> and then send people to the innocuous-looking www.p\u0430ypal.com<\/a>. (Course, if you’ve already fixed your browser you won’t be able to follow the link anymore….) If you look carefully or if your browser isn’t displaying this page as Unicode you can see the letter \u0430<\/em> is in a different font (in fact, it’s a Cyrillic “a”).<\/p>\n

    Temporary fix for Firefox:<\/p>\n

      \n
    1. Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the config page.<\/li>\n
    2. Scroll down to the line beginning network.enableIDN \u2014 this is International Domain Name support, and it is causing the problem here. We want to turn this off \u2014 for now. Ideally we want to support international domain names, but not with this problem.<\/li>\n
    3. Double-click the network.enableIDN label, and Firefox should change it to false. (If you get a dialog box, just change it to false<\/em> yourself.)<\/li>\n<\/ol>\n

      You can check to see if you’re vulnerable by going to the website http:\/\/www.shmoo.com\/idn\/<\/a><\/p>\n

      Update:<\/b> It turns out the fix I listed does not<\/em> work in at least some versions of Firefox (sigh). The user preference gets set all right, but for some reason Firefox ignores it. Tech.Life.Blogged has posted both a somewhat kludgy workaround<\/a> that at least disables IDN support until you install a new plug-in, and a nicer fix<\/a> that just involves installing the AdBlocker<\/a> extension and configuring it to block URLs that contain characters outside of the normal ASCII.<\/p>\n

      Longer term we really need a preference that paints the address-bar or otherwise warns us when a domain contains characters from more than one language set \u2014 that’d solve both the problem of p\u0430ypal<\/em> and the equivalant domain that’s all Cyrillic except for the Latin character a<\/em>.<\/p>\n

      Update 2\/15\/05:<\/b> Sounds like one of the original authors of IDN, Paul Hoffman, has proposed something<\/a> that goes one better than what I was proposing: highlight characters from different languages in different colors. That way it’s not a “warning” (and constant false alarm for languages that routinely mix character-sets) but still stands out if you weren’t expecting it. (Thanks to Boing Boing<\/a> for the link.)<\/p>\n

      Update 2\/26\/05:<\/b> Firefox 1.01<\/a> has been released with a fix \u2014 now punycode appears on the URL line as the encoded www.xn--pypal-4ve.com (it can be changed back to the old display in the configuration). While not as pretty as Hofflan’s solution, it’ll work. Note also that Shmoo has stopped hosting https:\/\/www.p\u0430ypal.com<\/a>, though they still have a test link up at http:\/\/www.shmoo.com\/idn\/<\/a>.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[15],"tags":[],"class_list":["post-276","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts\/276","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/comments?post=276"}],"version-history":[{"count":0,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/posts\/276\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/media?parent=276"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/categories?post=276"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.docbug.com\/blog\/wp-json\/wp\/v2\/tags?post=276"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}