IDN Spoofing Issue

[Pike]

After having set the about:config to disable network.enableIDN (set to FALSE), I also included the following line in my user.js script, in order to avoid any future accidental change :
user_pref("network.enableIDN", false);

Adding to user.js should make no difference, the problem was not that the pref got reset but that Firefox only checked it when the value changed and not when the browser was first started.

I've read also that a nighty Firefox 1.1 (or 1.01) version had fixed the IDN problem.

These versions fix disabling IDN, they don't fix the problem itself, since the flaw is not a bug in Firefox code but a fundamental issue with IDN.

Edit: Fixed quoting error, sorry Mini-Geek.

[Guest]

hey, not sure if this is part of the same problem. but today I noticed a problem with one of my firefox quick-links
on my task-bar that I had saved for an ebay auction I wanted to bid on later this week. When clicked, it goes to
the original ebay page then quickly jumps to a spoofed ebay login page. Is this part of this issue?

[barnburner]

When I do the adblock fix, I get a warning message " The filter you have entered will be interpreted as a regular expression." Have I entered somthing wrong, or should I click ok?

[Mini-Geek]

When I do the adblock fix, I get a warning message " The filter you have entered will be interpreted as a regular expression." Have I entered somthing wrong, or should I click ok?

just to be sure, click cancel and copy and paste the thing in the response, then click ok

[barnburner]

When I do the adblock fix, I get a warning message " The filter you have entered will be interpreted as a regular expression." Have I entered somthing wrong, or should I click ok?

just to be sure, click cancel and copy and paste the thing in the response, then click ok

Yeah, I did the copy and paste thing just to be sure I didn't make a mistake.
I did the test on the spoofing test site, and nothing happened, so I guess it worked.
Just wanted to be sure I wasn't messing somthing up.
Thanks

[Mini-Geek]

When I do the adblock fix, I get a warning message " The filter you have entered will be interpreted as a regular expression." Have I entered somthing wrong, or should I click ok?

just to be sure, click cancel and copy and paste the thing in the response, then click ok

Yeah, I did the copy and paste thing just to be sure I didn't make a mistake.
I did the test on the spoofing test site, and nothing happened, so I guess it worked.
Just wanted to be sure I wasn't messing somthing up.
Thanks

that's all correct, that's what's supposed to happen

[Guest]

i did the addition of # ... but still a test still shows the same result.. any advise?

[KevinMillican]

If you look at the 'Advanced Options' of Internet Explorer, it appears that the only reason it is not vulnerable to this type of exploit is because there is an option called 'Always send URLs as UTF-8 (requires restart)' that is ticked by default. The URL requested does not get sent as 16bit unicode so it can't match the target description, and this is why you get a 'page not found' error.

Actually I wasn't quite correct here - current version of Internet Explorer doesn't support IDN at all - see this link :- <a href='http://support.microsoft.com/default.aspx?scid=kb;en-us;842848'>http://support.microsoft.com/default.aspx?scid=kb;en-us;842848</a>

[aasgier]

You can also try this the spoofstick extension is updated see http://www.jarnot.com/mt/archives/2005/ ... poof_s.php
it seems to be working.

For the latest Mozilla news Read http://www.de-gier.info/ the Daily Mozilla news

[Sealord]

Ref the idea of placing ^\x20-\xFF]/ in Adblock and the switching to Site Blocking. I find that it does not work for me. In fact in regular expressions, which is the script used here, the FF is supposed to be replaced by 2 hexadecimal digits. "Find" "xFF" at http://www.regular-expressions.info/reference.html

In this context ^\x20-\x20]/ blocks the test at http://secunia.com/multiple_browsers_idn_spoofing_test/

Another idea mentioned in the forums at http://forums.mozillazine.org/viewtopic ... 9b9ebf3fa3 uses this script within the extension Greasemonkey. That is where I saw the idea to replace the FF with 20. It works by going to the site but warning you.

[Sealord]

Ref the idea of placing ^\x20-\xFF]/ in Adblock and the switching to Site Blocking. I find that it does not work for me. In fact in regular expressions, which is the script used here, the FF is supposed to be replaced by 2 hexadecimal digits. "Find" "xFF" at http://www.regular-expressions.info/reference.html

In this context ^\x20-\x20]/ blocks the test at http://secunia.com/multiple_browsers_idn_spoofing_test/

Another idea mentioned in the forums at http://forums.mozillazine.org/viewtopic ... 9b9ebf3fa3 uses this script within the extension Greasemonkey. That is where I saw the idea to replace the FF with 20. It works by going to the site but warning you.

Sorry: the expression is /[^\x20-\x80]/ where 80 relaces the FF.

[Ken Cooper]

The AdBlock method works because when you request the URL, Firefox converts the html URL to 16bit unicode. At that point AdBlock detects the match against the regular expression (ie. the URL has a character outside the range ASCII 32 to 255) and prevents you from loading the page. When you click on the link with the AdBlock filter installed, nothing happens at all. However, as I mentioned in my post, you have to tick the AdBlock 'Site Blocking' option for it to work.

Thanks for the explanation, and the temporary fix. I went ahead and applied the instructions, and Adblock did prohibit access to the phishing site. I STAND CORRECTED, and apologize for being bull-headed.

[hellfried]

there's a simple fix for those that wish to take care of it before an official patch/fix comes out.</p>

go to the about:config page and disable network.enableIDN (set to FALSE).</p>

I went back to the secunia page and it checked out.

i tried this fix but when i went to the secunia site and tested it, it took me to the spoof site! yikes! am running firefox 1.0 on winxp sp2 with the lastest security updates.

[KevinMillican]

Another idea mentioned in the forums at http://forums.mozillazine.org/viewtopic ... 9b9ebf3fa3 uses this script within the extension Greasemonkey. That is where I saw the idea to replace the FF with 20. It works by going to the site but warning you.

Sorry: the expression is /[^\x20-\x80]/ where 80 relaces the FF.

Actually I'm not sure what is the best value for the upper end of the range. Hex 7F is the maximum 7bit value. Fairly sure that some cgi queries use the tilde character '~' ie. hex 7E, but what I can't remember offhand is whether any higher characters are used, eg. the '£' symbol (hex A3). URL syntax does allow characters to be escaped, eg. %20 is used to represent a space and %A3 would indicate a '£' symbol. With these possibilities in mind I set the acceptable range to be ASCII 32 to 255 (hex 20 to hex FF) but it is possible that /[^\x20-\x7E]/ would be sufficient as the regular expression.

[Sealord]

Another idea mentioned in the forums at http://forums.mozillazine.org/viewtopic ... 9b9ebf3fa3 uses this script within the extension Greasemonkey. That is where I saw the idea to replace the FF with 20. It works by going to the site but warning you.

Sorry: the expression is /[^\x20-\x80]/ where 80 relaces the FF.

Actually I'm not sure what is the best value for the upper end of the range. Hex 7F is the maximum 7bit value. Fairly sure that some cgi queries use the tilde character '~' ie. hex 7E, but what I can't remember offhand is whether any higher characters are used, eg. the '£' symbol (hex A3). URL syntax does allow characters to be escaped, eg. %20 is used to represent a space and %A3 would indicate a '£' symbol. With these possibilities in mind I set the acceptable range to be ASCII 32 to 255 (hex 20 to hex FF) but it is possible that /[^\x20-\x7E]/ would be sufficient as the regular expression.

I agree it may be just as well to end the set with \x7E which is the tilde "~", thus /[^\x20-\x7E]/. The /[^\x20-\x80]/ takes it one step up as far as the Euro sign "€". With \x7E all usual characters seem to be included and [^ negates anything outside the usual range of characters. Anything beyond that range gets into more unusual charaters, which is where the problem lies I think.