|
|
User Controls
|
New User
|
Login
|
Edit/View My Profile
|
|
|
|
ActiveMac
|
Articles
|
Forums
|
Links
|
News
|
News Search
|
Reviews
|
|
|
|
News Centers
|
Windows/Microsoft
|
DVD
|
ActiveHardware
|
Xbox
|
MaINTosh
|
News Search
|
|
|
|
ANet Chats
|
The Lobby
|
Special Events Room
|
Developer's Lounge
|
XBox Chat
|
|
|
|
FAQ's
|
Windows 98/98 SE
|
Windows 2000
|
Windows Me
|
Windows "Whistler" XP
|
Windows CE
|
Internet Explorer 6
|
Internet Explorer 5
|
Xbox
|
DirectX
|
DVD's
|
|
|
|
TopTechTips
|
Registry Tips
|
Windows 95/98
|
Windows 2000
|
Internet Explorer 4
|
Internet Explorer 5
|
Windows NT Tips
|
Program Tips
|
Easter Eggs
|
Hardware
|
DVD
|
|
|
|
Latest Reviews
|
Applications
|
Microsoft Windows XP Professional
|
Norton SystemWorks 2002
|
|
Hardware
|
Intel Personal Audio Player
3000
|
Microsoft Wireless IntelliMouse
Explorer
|
|
|
|
Site News/Info
|
About This Site
|
Affiliates
|
ANet Forums
|
Contact Us
|
Default Home Page
|
Link To Us
|
Links
|
Member Pages
|
Site Search
|
Awards
|
|
|
|
Credits
©1997/2004, Active Network. All
Rights Reserved.
Layout & Design by
Designer Dream. Content
written by the Active Network team. Please click
here for full terms of
use and restrictions or read our
Privacy Statement.
|
|
|
|
|
|
|
|
Time:
19:59 EST/00:59 GMT | News Source:
ActiveWin.com |
Posted By: Brian Kvalheim |
Most browsers affected except Microsoft Internet Explorer.
The state of homograph attacks. International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Desscription: In December 2001, a paper was released describing Homograph attacks [1]. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. At the time this paper was written, no browsers had implemented Unicode/UTF8 domain name resolution.
Test URL: http://www.shmoo.com/idn/
|
|
#1 By
37 (67.37.29.142)
at
2/7/2005 4:16:29 PM
|
Good thing I don't use Firefox on a daily basis. As it continues to grow, so does it security problems. I knew this was gonna happen. So much for Firefox being "secure".
|
#2 By
6859 (206.156.242.39)
at
2/7/2005 4:26:17 PM
|
What's even more interesting is the "workaround" for Firefox doesn't work, so there's a lot of FF users out there that are wondering what to do.
|
#3 By
15406 (216.191.227.90)
at
2/7/2005 4:30:05 PM
|
I know FF is the latest MS shineboy target, but if any of you read the article, it affects practically every browser out there except IE -- not just Firefox. It's almost funny that IE is not susceptible to this one attack because MS was lazy in not supporting a standard that everyone else included.
|
#4 By
1401 (69.40.54.14)
at
2/7/2005 4:31:11 PM
|
homograph attacks? Is that where they enter in the back door?
|
#5 By
7797 (63.76.44.6)
at
2/7/2005 4:34:59 PM
|
AWBrian, nobody is saying Firefox is "secure". What people ARE saying however is that compared to Internet Explorer it is more secure. And probably the only reason IE isn't susceptible to this flaw is because it lacks IDN support to begin with. Your pathetic attempts to FUD Firefox don't hold up against the smallest scritiny.
This post was edited by tgnb on Monday, February 07, 2005 at 16:35.
|
#6 By
11888 (64.230.35.124)
at
2/7/2005 4:36:37 PM
|
Like other comparisons, this "feature" is available in IE through a plug-in. Just like tabbed browsing.
LOL AWBrian. You're too much. Funny.
This post was edited by MrRoper on Monday, February 07, 2005 at 16:41.
|
#7 By
37 (67.37.29.142)
at
2/7/2005 4:58:07 PM
|
tgnb, I know of MANY people that are saying "Firefox is secure". AND they are saying "compared to IE, it is more secure". AND they are also saying that it is more secure because it is not as popular, making it less likely for attack. AND the same people say to watch for growing security issues as the browser gains in popularity.
And Firefox lacks ActiveX support, so in turn it too isn't susceptible to this flaw.
And as a note for IE support of IDN:
http://support.microsoft.com/?kbid=842848
Here is a quote:
"The Internet Engineering Task Force (IETF) published the IDN standard in March 2004."
So the standard was published less than a year ago.
But Microsoft says: "Internet Explorer does not currently support IDNs, but we are investigating the integration of IDN support in Internet Explorer and in other Microsoft products."
No FUD, just facts.
FACT IS, Firefox has YET ANOTHER security issue. You might have to learn to deal with that.
This post was edited by AWBrian on Monday, February 07, 2005 at 16:59.
|
#8 By
7797 (63.76.44.6)
at
2/7/2005 5:13:53 PM
|
I'm dealing with it. Its expected. It should be expected of ANY software. Whether its proprietary or open source. How many IE flaws will be patched by tomorrow's 13 critical Windows patches?
Oh and please show me where people are saying that "Firefox is secure" so I can refute them.
And unlike ActiveX, IDN is not notoriously known for having tons of security problems. How many unpatched holes are in IE at the moment? How many in Firefox? How long have those holes been unpached in IE?
This post was edited by tgnb on Monday, February 07, 2005 at 17:18.
|
#9 By
7797 (63.76.44.6)
at
2/7/2005 5:24:22 PM
|
"Vulnerabilities arise and the vendor who steps up to correctly identify and fix the problem first has the more secure product."
This isn't the only way to measure how secure a product is. And Microsoft does not have such a great track record with IE patches in that regard.
|
#10 By
7797 (63.76.44.6)
at
2/7/2005 5:44:53 PM
|
Me Shrugs. I didn't make any assumptions at what browser you support at all. You said "Vulnerabilities arise and the vendor who steps up to correctly identify and fix the problem first has the more secure product." But thats not true. Mozilla doesn't have the more secure product only because they respond to vlunerabilities faster. There are many other factors to consider when deciding who has the more secure product. It sounds like you even agree with that.
|
#11 By
135 (128.64.154.3)
at
2/7/2005 6:20:06 PM
|
Aww crap. I'm an idiot. I made a mistake and listened to tgnb telling me that Firefox was more secure than IE, and went and installed it on my girlfriend's computer.
Now she's open to a major security hole, and I can't find any patches for it on the firefox website. Nothing. No news, no patch... nothing. No information whatsoever that she's vulnerable.
That serves me right for listening to tgnb. I'm putting her back on IE. At least when Microsoft has a vulnerability they talk about it and issue patches.
If anything I said sounds ridiculous... look in a mirror
|
#12 By
860 (68.62.236.255)
at
2/7/2005 8:03:40 PM
|
You folks are forgetting... the reason that IE isn't affected is because IE doesn't support this standard. IE isn't standards-compliant, so it got past this security issue. If you loaded the plugin to IE for IDN, then you ARE vulnerable.
|
#13 By
3653 (68.54.224.219)
at
2/7/2005 9:08:30 PM
|
I thought firefox had thousands of volunteer programmers to stop this sort of thing from happening? I guess that myth is exposed for the shite it is.
|
#14 By
7797 (68.142.9.161)
at
2/7/2005 9:39:28 PM
|
mooresa56 sorry to burst your bubble but although firefox has many volunteer programmers as well as paid ones, nobody claimed that this would stop this sort of thing from happening. Of course you wish people claimed that so you can make your idiotic statements.
sodablue, how many vulnerabilities are unpatched in IE right now? Oh more than in Firefox? Hmm.. so your happy your girlfriend is using it afterall? Oh ok good then.
|
#15 By
20505 (216.102.144.11)
at
2/7/2005 9:56:27 PM
|
gentlemen,
as i read this exchange. i am listening to "wonderful" by everclear. the player is minimized and i am controlling my musicmatch player with a firefox extension, foxytunes.
for the record this is totally cool! isn’t the pc ultimately about being totally cool?
i'm not a programer (duh) but how do they do this with a 200k plug-in?
long live innovation!
|
#16 By
37 (24.183.41.60)
at
2/7/2005 10:02:26 PM
|
Doesn't sound like you are dealing with it. You are still in denial.
First they say, it's FREE. Now it's not really FREE, just FREE.
Then they say, it's secure. And now as more and more security issues are found, it's "well, it's more secure than IE".
What's next?
|
#17 By
16451 (65.19.17.187)
at
2/7/2005 10:13:00 PM
|
I couldn't help but notice that the source page URL is that of the real page, and not spoofed URL. I also see that to spoof a secured site you must have a certificate for the real URL, which leaves quite a trail to the suspect.
|
#18 By
3653 (68.54.224.219)
at
2/7/2005 10:48:25 PM
|
tgnb - "nobody claimed that this would stop this sort of thing from happening"
Thats news to me. Do a quick google search for "firefox is secure" or similar and then tell me again that "nobody claimed that this would stop this sort of thing from happening".
|
#20 By
23275 (68.17.42.38)
at
2/7/2005 11:28:25 PM
|
Ok Folks...come on now....yur gonna make me build an Excedrine lick here....
IDN's .... Internaltion Domain Names.... Have dork to do with "Standards!!!!" They are
non-ASCII [or non American Standard Code for Information Interchange] character sets - one of oh, say, 100+ different formats [shape bit, parity, two groups of three each vectors <originally>] better expressed simply [straight polarity here...] as, 84218421 or their potentional value - also known as Octylateral if you've a Govt. background. That format has been around since guys were sweeping chad from the comms room floor.
Now, via trusted registrars who maintain a list of IDN <domain names>, like VeriSign, one can easily "resolve" addresses that use non-ASCII Characters in the address. When a non-ASCII Char is recognized in IE, it goes to the installed registrar who then resolves the IDN. This allows foreign countries who do not use our alphabet to use friendly names in their native character set - e.g., cyrillic, or simplified Chinese. Each available plug-in works the same way, and therein layeth the flaw - is/are the registrar's SW and lists properly resolving names to registered and valid IDN's...? For those decrying IE as non-compliant - please stop. Same for FF or Mozilla conforming....it doesn't because they just go get a list made up by non-authoritative registrars...see the potential danger there? BTW, in IE's Plug-in manager, just don't blindly trust any plug-in you do not fully understand. That way it'll "ask" you before doing anything you may not like. Now, the attack is all about expressing one address, but having it resolve ot an unwanted and potentially malicious host. Any "Merri'can...<my best gingoist accent here..." seeking to address an IDN, should probably look it up first - why not, one would be wise to plan a trip to a land we were not familiar with...right? Lookup iL8n assigned names. The nsiregistry is a good start. Also, Not one of those posting even mentioned the far more complex and potentially harmful exploits opposite IHN's... oh and if you are running your own forward DNS, please consider adding a set for your own safe lookups - there are a lot of tools out there for adding sets to resolve IDN and IHN's. idnkit-1.0.-x for example. That way, you can control which your users can resolve. You can even create some forwarders on W2K and W2K3 DNS to a BIND 9.x idnkit and keep the stuff separate. That way you can truly say your "leet" and also learn some about working with multiple platforms without too much risk, or jacking with your dynamic DNS systems, etc...
Before you all get wonked at me, don't we invented this stuff and released it for commercial and international purposes. I know, I had the privilege to be among the many who voted for it and how it would be done. It can be taken back, or made irrelevant.
Any way - that's my 2 cents. Thanks.
|
#21 By
20505 (216.102.144.11)
at
2/8/2005 12:45:34 AM
|
moorse56 -
thanks for the info.
|
#22 By
2201 (212.117.228.131)
at
2/8/2005 6:22:31 AM
|
O dear. What's wrong with everyone here? Who cares if Firefox or IE is "secure" or not? Why don't you all just enjoy your browsers and stop attacking other browsers just to make you feel better for making one choice or another? :(
|
#23 By
7797 (63.76.44.6)
at
2/8/2005 8:34:12 AM
|
" O dear. What's wrong with everyone here? Who cares if Firefox or IE is "secure" or not? Why don't you all just enjoy your browsers and stop attacking other browsers just to make you feel better for making one choice or another? :("
I agree. But I don't see anyone attacking IE here only Firefox bashers and those defending it.
|
#24 By
2960 (156.80.64.60)
at
2/8/2005 8:34:20 AM
|
#1,
Good thing I DO use FireFox on a daily basis. My collection of Spyware installed by drive-by has dropped to zero, as it has for everyone else I know that uses FireFox.
TL
|
#25 By
7797 (63.76.44.6)
at
2/8/2005 8:50:20 AM
|
mooresa56 I searched for "Firefox is secure" on google as you suggested and received 107 results while searching "IE is secure" yielded 256 results. Does this mean that the IE Fanboys are a louder bunch? No. "Firefox is more secure" gets me 656 results. What this shows is that "Firefox is more secure" is clearly the more prevalent statement out there. So when the Firefox bashers in here start screaming and shouting about how this flaw proves that Firefox is not secure then they are clearly ignoring the majority of the people who don't claim that it is to begin with. And so the majority of the Firefox supporters on this forum who've never claimed Firefox to be "secure" defend their stance and point out your ignorance.
|
|
|
|
|