MozillaZine


IDN Spoofing Issue

User Help for Mozilla Firefox
Guest
Guest
 

Post Posted February 8th, 2005, 4:29 am

One idea for a fix: Set a flag (default on) to show the URL bar in escaped mode (%xx) if the character is not an ascii 7bit char, but allow the user to type the character anyway. This would make clear that the site uses international chars, but is not intrusive nor makes the browser handicaped.

Guest
Guest
 

Post Posted February 8th, 2005, 6:53 am

I've just editted my (windows) copy and there is no line remotely like that, only one line exists with the word 'byte' and it has nothing to do with the fault.

Slurdge
Guest
 

Post Posted February 8th, 2005, 7:43 am

This may be naive, but since the problem is that a human cannot see the difference, couldn't we try to simulate this behaviour on the computer side ? For example, we could render the url in a normalized font, and then try a pattern matching with ascii char. If there is a match and that the found domain name exists, warn the user that he may be the victim of a spoofing attack.
This would be like this:
(fake encoded paypal.com) -> render -> (pixels) -> pattern matching -> (paypal.com in text form) -> (paypal.com exists - possible spoofing) -> warn.

I'm not sure how easy it is to implement, however.

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted February 8th, 2005, 8:22 am

Anonymous wrote:I've just editted my (windows) copy and there is no line remotely like that, only one line exists with the word 'byte' and it has nothing to do with the fault.

Hendikins wrote:... comment out all lines containing IDN ...

You should be looking for IDN, not byte.

Guest
Guest
 

Post Posted February 8th, 2005, 8:55 am

thanks. works a treat now. had to remove:

@mozilla.org/network/idn-service;1,{62b778a6-bce3-456b-8c31-2865fbb68c91}
{xxx},@mozilla.org/network/idn-service;1,application/x-mozilla-static,nsIDNService,necko_core_and_primary_protocols
{xxx},@mozilla.org/network/idn-service;1,application/x-mozilla-static,nsIDNService,necko_core_and_primary_protocols

But two thoughts:

1. i'm assuming it fails because mozilla is silently translates codes like #xxxx into their proper values? Why not just show in the url the value contained in the link without translating it but still use the converted string internally? that way the same phishing problem will be made visible?
2. who's daft idea was it to allow non-ascii codes for domain names when it breaks the ability to make a url universally readable and accessible?

Neil.

Orlanz
Guest
 

Post Posted February 8th, 2005, 10:15 am

Hi, I am just a Mozilla user from a while back, switched to Firefox when it came out (before all the name changes).

Anyway, I got a suggestion on working with this "flaw" in the IDN.

The address bar should use color coding to show non-local characters. (Like it does with secure sites).

How it works:
-The browser will notice the character being used isn't in the Local's character set.
-And upon presentation, it renders those specific characters differently. It can be colored red, bolded, or backgrounded gray....

Local can be set by the user whether it be Japan, India, or Brazil.

We would also need "friendly Locals" so that users won't see lots of colored characters. Like Japanese would have a Japanese Local and the US as a friendly Local so that english and japanese site addresses show up as normal text.

From a user's point of view, the sites' addresses would look different. This won't get rid of the problem, but I believe it will make it much smaller.

I am pretty sure someone already has this idea or a better one, but I didn't think it would hurt to post just incase noone did.

KevinMillican
Guest
 

Post Posted February 8th, 2005, 10:29 am

A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/m ... dows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

EB3551
 
Posts: 36
Joined: July 13th, 2004, 12:14 pm

Post Posted February 8th, 2005, 10:38 am

I commented out the IDN lines in compreg.dat as suggested here, and then tested at the Secunia site http://secunia.com/multiple_browsers_idn_spoofing_test/

Didn't work.

Closed Mozilla and re-opened. Now it passes the test.

EB

Guest
Guest
 

Post Posted February 8th, 2005, 11:20 am

Works great

KevinMillican wrote:A simpler way of fixing this is as follows :-

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/m ... dows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

Guest
Guest
 

Post Posted February 8th, 2005, 12:06 pm

Linux 2.6.9x1 Firefox 1.0
Fixing the compreg.dat file in the two lines where IDN/idn appears does not fix the problem. Spoofing still works on it.

Gralfus

User avatar
 
Posts: 68
Joined: December 10th, 2004, 10:02 am

Post Posted February 8th, 2005, 12:13 pm

Any way to make the compreg.dat file keep the changes? As soon as I install an extension, it removes the changes.

Hendikins

User avatar
 
Posts: 26
Joined: December 31st, 1969, 5:00 pm
Location: On a train

Post Posted February 8th, 2005, 12:27 pm

Nope. The file is regenerated, and setting it read-only would cause problems with extension installations.

Gralfus

User avatar
 
Posts: 68
Joined: December 10th, 2004, 10:02 am

Post Posted February 8th, 2005, 12:43 pm

Something must tell Firefox how to set the compreg.dat file. Can it not be set as default to have those IDN lines set to zero? My guess is this would probably have to come from the developers.

trenchant
Guest
 

Post Posted February 8th, 2005, 12:45 pm

i presume this affects thunderbird too

Ljauch
Guest
 

Post Posted February 8th, 2005, 12:54 pm

Using wordpad, when I find the file compreg.dat to edit by placing # in front of the line with IDN, the top of the file says "Generated file-do not edit " Moreover, it does not look like the sample suggested for the fix of the problem -- line starts with @Mozilla rather than the sample showing { .......}, @ Mozilla
What do us tech illiterates do? #-o

Return to Firefox Support


Who is online

Users browsing this forum: Google [Bot] and 6 guests