danceboy: (Default)
danceboy ([personal profile] danceboy) wrote2005-02-12 09:33 am
  • Add Memory
  • Share This Entry

Firefox security

Hey all, if anyone is using firefox, please check this out. It turns out that due to Firefox correctly implementing a flawed standard, it is vulnerable to certain spoofing attacks. They've come up with a fix pretty quickly, and it's yet another reason to get AdBlock...

I do not believe that any attacks were found using this, it looks like some people discovered the problem and then announced it.
Flat | Top-Level Comments Only

You can disable the feature -- easier fix

[identity profile] vectorvillain.livejournal.com 2005-02-22 03:36 am (UTC)(link)
Go to the address bar, and type "about:config". Scroll down to "Network.enableIDN", and double click on it.

This disables the flawed standard. It isn't all that likely that most people use IDN, so i souldn't impact anything.

From you friendly neighborhood IT security wonk.

Re: You can disable the feature -- easier fix

[identity profile] danceboy.livejournal.com 2005-02-22 05:27 pm (UTC)(link)
I dunno, according to bugzilla and mozillazine, that only sticks around until you restart, and the standard way to fix that (editing the compreg.dat directly) only sticks around until you install a new extension (when it gets over-written).

It seems that whoever added IDN to the about:config neglected to add it to the serializer in time for the 1.0 branch. It had already been fixed before the exploit came out, but they haven't released a new version yet.

Regarding IDN itself, I think it's a bad idea to come up with a standard that allows people to think that they're visiting one site, and actually bring them to another. They forgot the "How will evil people try to abuse this?" test.
Flat | Top-Level Comments Only