Topic: Security Alert for alternative browser users  (Read 3150 times)

0 Members and 1 Guest are viewing this topic.

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Security Alert for alternative browser users
« on: February 07, 2005, 06:02:39 pm »
ALERT ALERT ALERT

New phishing scam launched against non IE browsers. Find out more about your browser at the following links:

Opera
Mozilla and Firefox
Netscape

This alert is listed as moderate critical.

Jerry
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline FRA.E.Kehakoul_XC

  • Administrator
  • Lt. Commander
  • *
  • Posts: 1100
  • Gender: Male
Re: Security Alert for alternative browser users
« Reply #1 on: February 07, 2005, 06:08:55 pm »
As far as i can tell Opera 6.05 is not affected.
FRA.E.Kehakoul_XC

Director - Diplomatic Division

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Security Alert for alternative browser users
« Reply #2 on: February 07, 2005, 06:23:58 pm »
Keep in mind that this is a problem with a standard that these browsers properly adhere to.  The reason Microsoft is not hit by it is that they either do not implement the standard or do so in a proprietary way.  The standard appears to need some work. 

Quote
Workaround: Mozilla based browsers only:
Enter the following url: about:config
Scroll down to network.enableIDN
If the value column is True then right click on it and choose the toggle option this will change the value to False which disables that feature and protects you from the attack

Quote
VI.   Vendor Responses

Verisign: No response yet.

Apple:  No response yet.

Opera:  They believe they have correctly implemented IDN, and will not be making any changes.

Mozilla:  Working on finding a good long-term solution; provided clear workaround for disabling IDN.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."

Offline toasty0

  • Application.Quit();
  • Captain
  • *
  • Posts: 8045
  • Gender: Male
Re: Security Alert for alternative browser users
« Reply #3 on: February 07, 2005, 11:51:54 pm »
Keep in mind that this is a problem with a standard that these browsers properly adhere to.

Good to see at least one of the developers stayed awake and recognised a bad standard when they saw one. As Forest used to say, "Sheep is as sheep do-do." or something like that.

Heheheh
« Last Edit: February 08, 2005, 10:24:01 am by toasty0 »
MCTS: SQL Server 2005 | MCP: Windows Server 2003 | MCTS: Microsoft Certified Technology Specialist | MCT: Microsoft Certified Trainer | MOS: Microsoft Office Specialist 2003 | VSP: VMware Sales Professional | MCTS: Vista

Offline Monty

  • Lt. Junior Grade
  • *
  • Posts: 123
  • Gender: Male
Re: Security Alert for alternative browser users
« Reply #4 on: February 08, 2005, 04:14:16 am »
Does disabling IDN have any undesirable side effects?

Good find on the security alert.

Offline Nemesis

  • Captain Kayn
  • Global Moderator
  • Commodore
  • *
  • Posts: 13067
Re: Security Alert for alternative browser users
« Reply #5 on: February 08, 2005, 07:40:15 pm »
Does disabling IDN have any undesirable side effects?

Good find on the security alert.

You won't be able to handle urls that use characters not used in English.  Many east European languages or oriental languages for example.

Good to see at least one of the developers stayed awake and recognised a bad standard when they saw one. As Forest used to say, "Sheep is as sheep do-do." or something like that.

The standard is basically good.  Unless of course you think that you shouldn't be allowed to access websites in countries that use other languages. 

The problem is more in the implementation at the domain name registrar level.  Each top level domain or nation should only use one character set.  That way if you saw "www. microsoft. com" or "www. microsoft. us" you would know it was the English version.  If you saw something like "www. microsoft. ru " or "www. microsoft.to" you would have reason to be suspicious.  With the current system one could spoof "www .microsoft. com" by using alternate character sets for the "i" or "o" for example.   Similar things have been done in the past using "1" or "0" to replace the "I" or "O". 

Of course you can make yourself more secure by following the advice given by toasty's link

Quote
Solution:
Don't follow links from untrusted sources.
Do unto others as Frey has done unto you.
Seti Team    Free Software
I believe truth and principle do matter. If you have to sacrifice them to get the results you want, then the results aren't worth it.
 FoaS_XC : "Take great pains to distinguish a criticism vs. an attack. A person reading a post should never be able to confuse the two."