Firefox security

[danceboy]

Hey all, if anyone is using firefox, please check this out. It turns out that due to Firefox correctly implementing a flawed standard, it is vulnerable to certain spoofing attacks. They've come up with a fix pretty quickly, and it's yet another reason to get AdBlock...

I do not believe that any attacks were found using this, it looks like some people discovered the problem and then announced it.

Comments

You can disable the feature -- easier fix

[vectorvillain.livejournal.com]

Go to the address bar, and type "about:config". Scroll down to "Network.enableIDN", and double click on it.

This disables the flawed standard. It isn't all that likely that most people use IDN, so i souldn't impact anything.

From you friendly neighborhood IT security wonk.

Re: You can disable the feature -- easier fix

[danceboy.livejournal.com]

I dunno, according to bugzilla and mozillazine, that only sticks around until you restart, and the standard way to fix that (editing the compreg.dat directly) only sticks around until you install a new extension (when it gets over-written).

It seems that whoever added IDN to the about:config neglected to add it to the serializer in time for the 1.0 branch. It had already been fixed before the exploit came out, but they haven't released a new version yet.

Regarding IDN itself, I think it's a bad idea to come up with a standard that allows people to think that they're visiting one site, and actually bring them to another. They forgot the "How will evil people try to abuse this?" test.