IDN Spoofing Issue

User Help for Mozilla Firefox
Locked
t22
Guest

Post by t22 »

'go to the about:config page and disable network.enableIDN (set to FALSE)'

Does this method work ok? or am I missing something?
I've downloaded an update so the value remains set after a browser quit/restart.

t22
Guest
Guest

Post by Guest »

When you use https:// you get a yellow background in the address bar. Is it possible to get a patch that will use a orange background in the address bar when IDN is active (red = https:// + IDN)? That would be an elegant fix.
User avatar
Mini-Geek
Posts: 1239
Joined: February 7th, 2005, 8:08 pm
Location: Bulverde (near San Antonio), Texas, USA

Re: AD Block Fix - Nice and simple

Post by Mini-Geek »

Ken Cooper wrote:
KevinMillican wrote:A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/m ... dows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.


I don't how you think this works, but don't fool yourself, because it won't.

Code: Select all

http://www.paypаl.com/
http://www.payp & # 1072 ; l.com/


Adblock does not prohibit you from clicking on a link - even if you target the " ; " symbol.
Ken Cooper wrote:
GreenAlien wrote:Ken,

"won't" or "doesn't" ? - Have you actually tried it yourself?

It appears to work fine for me with the test at:
http://secunia.com/multiple_browsers_idn_spoofing_test/

If you have experienced otherwise feel free to post the steps.

..Ant
Take your pick either way that filter is ineffective. I don't have to try it, because of what I stated in my previous post.

The best solution to this IDN vulnerability until a permanent fix is in place, is to actually type the link into your address bar when visiting a financial or personal website.
I don't know how it works either, but I know that it does work, so why don't you try it before you criticize it for not working? make sure that you tick "site blocking" also
Playing computers since 6 months old,
Tim
Fx 2.0.0.1 on WinXP - Forum Rules
Hendikins
Posts: 26
Joined: December 31st, 1969, 5:00 pm
Location: On a train

Post by Hendikins »

t22 wrote:'go to the about:config page and disable network.enableIDN (set to FALSE)'


This is broken in 1.0.
matjes
Guest

Post by matjes »

Weird. on my WINXP, the line for IDN service in compreg.dat looks different:

@mozilla.org/embedcomp/cookieprompt-service;1,{ce002b28-92b7-4701-8621-cc925866fb87}
@mozilla.org/network/idn-service;1,{62b778a6-bce3-456b-8c31-2865fbb68c91}
@mozilla.org/intl/unicode/decoder;1?charset=x-mac-ukrainian,{6394eeaa-fc3d-11d2-b3b8-00805f8a6670}
@mozilla.org/download;1,{e3fa9d0a-1dd1-11b2-bdef-8c720b597445}


in fact, the whole CONTRACTIDS section in compreg.dat is formatted with the hex-ids at the end of the line.
Commenting out the single line referreding to idn (idn-service) does nothing to fix the problem..
Zulu
Guest

Post by Zulu »

I have tried the add blocking solution it does seem to stop the site from loading.
User avatar
Spewey
Folder@Home
Posts: 5799
Joined: January 25th, 2003, 2:06 pm
Location: St. Paul, Minnes°ta

Post by Spewey »

idiots . . . . . . . . . lightbulb
idiots . . . . . lightbulb
idiots . . . lightbulb
idiots lightbulb!

gerv wrote:The latest round of punycode-based homograph attacks has led people to suggest switching off IDN, either personally or in browser security releases. This solution is inherently discriminatory - IDN was introduced to try and level the playing field in domain names with regard to their alphabet.
http://www.gerv.net/hacking/security/phishing.html

see also:
http://james.seng.cc/archives/2005/02/0 ... ofing.html

Repeat: your offspring are safe from harm; go to sleep.
geochimp
Posts: 1
Joined: February 9th, 2005, 2:05 am
Location: USA

Post by geochimp »

Has anybody heard of Netcraft Anti-Phishing Toolbar for IE?
http://toolbar.netcraft.com/

It seems to work great, BUT there needs to be one created for Firefox/Mozilla. I've written them, but they apparently want MANY folks to write them to let them assess a need, then dev. can begin. Maybe Mozilla.org can contact them and they would share their expertise? Probably not without a price, right?

Anyway, just thought I'd tell you about this, in case you weren't already aware. Thanks for all your great work with Mozilla!

Patrick
maclinman
Guest

Post by maclinman »

This script edits the IDN lines in compreg.dat on apple OSX, you may need to check the paths to make sure this is the right place on your setup. I've used this in a loginhook on a classroom full of macs. Roll on the proper fix.

#!/bin/bash
#uses tempfile for sed, as mac sed doesn't have -e
compreg="$HOME/Library/Application Support/Firefox/Profiles/default.ro6/compreg.dat"
[ -f "$compreg" ] &&
cp -f "$compreg" "$compreg.tmp" &&
sed 's/@mozilla.org\/network\/idn-service;1/@mozilla.org\/network\/idn-service;0/g' "$compreg.tmp" > "$compreg" &&
echo patched
WebVoyager
Posts: 160
Joined: November 20th, 2004, 4:58 am

Re: Quick-fix

Post by WebVoyager »

n00tz wrote:there's a simple fix for those that wish to take care of it before an official patch/fix comes out.</p>

go to the about:config page and disable network.enableIDN (set to FALSE).</p>

I went back to the secunia page and it checked out.


Discrimanatory or not, as a Firefox user and until the IDN issue is fixed, this solution does work perfectly for my little person. Quite selfish perhaps, but this workaround has satisfied the Secunia test and as a novice I don't feel able to refuse a radical but effective solution on the ground of philosophical matters. Sorry.
User avatar
Mini-Geek
Posts: 1239
Joined: February 7th, 2005, 8:08 pm
Location: Bulverde (near San Antonio), Texas, USA

Post by Mini-Geek »

WebVoyager wrote:
n00tz wrote:there's a simple fix for those that wish to take care of it before an official patch/fix comes out.</p>

go to the about:config page and disable network.enableIDN (set to FALSE).</p>

I went back to the secunia page and it checked out.


Discrimanatory or not, as a Firefox user and until the IDN issue is fixed, this solution does work perfectly for my little person. Quite selfish perhaps, but this workaround has satisfied the Secunia test and as a novice I don't feel able to refuse a radical but effective solution on the ground of philosophical matters. Sorry.
WebVoyager,
Did you restart Firefox after you set the about:config setting? If you did and it still blocks the IDN correctly, do you have a nightly or are you using 1.0? I've heard that bug has been fixed somewhere along the way in the nightlies.
Playing computers since 6 months old,
Tim
Fx 2.0.0.1 on WinXP - Forum Rules
WebVoyager
Posts: 160
Joined: November 20th, 2004, 4:58 am

Post by WebVoyager »

Hi Mini-Geek,

After having set the about:config to disable network.enableIDN (set to FALSE), I also included the following line in my user.js script, in order to avoid any future accidental change :
user_pref("network.enableIDN", false);

The Secunia test is satisfied (Firefox Alert Window saying the site pay'something' (forgot the exact spelling) could not be found.

I am using the original Firefox 1.0 English version (though living in France) :
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

I've read also that a nighty Firefox 1.1 (or 1.01) version had fixed the IDN problem. The point is I am aware of nighty versions (Firefox as any other) unless for experienced users.
User avatar
Mini-Geek
Posts: 1239
Joined: February 7th, 2005, 8:08 pm
Location: Bulverde (near San Antonio), Texas, USA

Post by Mini-Geek »

WebVoyager wrote:Hi Mini-Geek,

After having set the about:config to disable network.enableIDN (set to FALSE), I also included the following line in my user.js script, in order to avoid any future accidental change :
user_pref("network.enableIDN", false);

The Secunia test is satisfied (Firefox Alert Window saying the site pay'something' (forgot the exact spelling) could not be found.

I am using the original Firefox 1.0 English version (though living in France) :
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

I've read also that a nighty Firefox 1.1 (or 1.01) version had fixed the IDN problem. The point is I am aware of nighty versions (Firefox as any other) unless for experienced users.
I don't understand why that's working for you, unless it's because you have XP and I have 98SE, I did exactly what you said and it still allows the test to come up even though it's still marked as "false" in about:config :-k
p.s. in my signature is a link to my Firefox info
Playing computers since 6 months old,
Tim
Fx 2.0.0.1 on WinXP - Forum Rules
WebVoyager
Posts: 160
Joined: November 20th, 2004, 4:58 am

Post by WebVoyager »

Mini-Geek, it's true that my platform is Windows XP, SP2 in fact. But I don't see in which way this should make any difference.

I'm thinking of a basic issue, like when the reason of a car problem is the lack of gazoline:

Perhaps your cache has conseved information previously to the network.enableIDN (set to FALSE) option.
Try going in Options-> Privacy -> Cache, and then click on 'Clear'

If this doesn't fix the issue, then I would call all the experienced users here on our Mozalline Forum to give us a helping hand!
I'll try as for myself to figure other alternatives if your problem persists. I'll be off until 20:00 GMT.

Don't worry.
User avatar
Mini-Geek
Posts: 1239
Joined: February 7th, 2005, 8:08 pm
Location: Bulverde (near San Antonio), Texas, USA

Post by Mini-Geek »

I cleared my cache and it still shows, if we can't get this to work I can just do the Adblock code
Playing computers since 6 months old,
Tim
Fx 2.0.0.1 on WinXP - Forum Rules
Locked