| Author |
Message |
Gravitron
VIE Vet
Age:43
Gender:
Joined: Aug 02 2002
Posts: 993
Location: Israel
Offline
|
 Posted: Tue Feb 08, 2005 11:47 am Post maybe stupid Post subject: FireFox/Mozila rules your ass again...well, the crackers do. |
 |
 |
|
|
| Quote: |
By John Leyden
Published Monday 7th February 2005 21:38 GMT
A security loophole in Mozilla and Firefox browser could be used to spoof the URL displayed in the address bar, SSL certificate and status bar. The vulnerability also affects Opera and Konqueror and stems from a flawed IDN (International Domain Name) implementation within the browsers.
The bug could be exploited by registering domain names with certain international characters - which look like other commonly-used characters - in order to hoodwink users into believing they on a different, trusted site. As such, the bug creates a new wheeze for phishing attacks. For Germans to use national German characters in ".de" domains, for example, is one thing, but the use of national characters has been extended to the international domain space (.com, .net an .org) and extends the scope for confusion.
Thomas Kristensen, CTO at Secunia told El Reg: "This issue is not a traditional vulnerability, but a serious security issue which is caused by an inappropriate implementation of IDN."
"We have all heard about the "problems" with "o" that looks like "0" or "l" and "1", allowing people to register "MlCR0S0FT.com" and abusing that to trick people. Using IDN which support Unicode characters gives the phishers and scamsters thousands of more characters to play around with, some resemble "normal" characters to the point where not even the trained and paranoid eye will spot the difference, " he said.
The bug has been confirmed in Mozilla 1.7.5, Firefox 1.0, Konqueror 3.2.2 and Opera 7.54. Other versions may also be affected, Secunia reports. Internet Explorer users are in the clear from this one, although subject to flaws that have a similar effect. You can check if your browser is affected using Secunia's test.
Secunia advises users not to follow links from untrusted sources and to manually type in the URL they wish to visit in the address bar as workaround prior to the availability of more comprehensive fixes. ®
|
Source: http://www.theregister.com/2005/02/07/browsers_idn_spoofing/
P.S.
Next time you come to MGB, it wouldn't be MGB, because I fooled the DNS servs to goto mineg0b00m and uploaded my own pages to simulate MGB and it'll be full of trojans and virii and worms, and your PCs will be my zombies!
MUHAHAHHAHAHA
P.P.S.
Can you tell if my source link is real or not?
At your own risk.
(well it is, really, unless someone edited it and spoofed you, what, you're not SCARED to look, are you?)
BAHAHAHAHAHAHA |
|
| Back to top |
|
 |
Bak
?ls -s
0 in
Age:26
Gender:
Joined: Jun 11 2004
Posts: 1826
Location: USA
Offline
|
|
| Back to top |
|
|
CypherJF
I gargle nitroglycerin
Gender:
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline
|
| Posted: Tue Feb 08, 2005 12:46 pm Post maybe stupid Post subject: |
|
|
|
|
Well, I love Microsoft's responce to "how to avoid going to spoofed webpages" See here.
You can see if you're visiting a "spoofed" page during the page-loading process [ Firefox does display the spoofed URL for a second or two lol ], in the status bar, or better yet, double check the URL you are going to before you click on the link in the document src. More discussion about this can be found here.
In any case, I end up using my bookmarks, or typing in URLs manually. Again, be smart about what you're doing on the Internet. It's not a safe place, as much as we try to "secure" it. Even more of reason, why banking, etc. shouldn't be on the WWW.
I'm still trying to figure out why Mozilla set network.enableIDN - true by default. Btw, setting it false, has a flaw, or something as I read on /..
But anywho. I need to get goin.
_________________
Performance is often the art of cheating carefully. - James Gosling
Last edited by CypherJF on Tue Feb 08, 2005 1:03 pm, edited 1 time in total |
|
| Back to top |
|
|
Dr Brain
Flip-flopping like a wind surfer
Age:39
Gender:
Joined: Dec 01 2002
Posts: 3502
Location: Hyperspace
Offline
|
| Posted: Tue Feb 08, 2005 12:50 pm Post maybe stupid Post subject: |
|
|
|
|
Even if the domain is spoofed, you still can't get infected by visiting, because you're not using IE.
_________________
Hyperspace Owner
Smong> so long as 99% deaths feel lame it will always be hyperspace to me |
|
| Back to top |
|
|
Cyan~Fire
I'll count you!
Age:37
Gender:
Joined: Jul 14 2003
Posts: 4608
Location: A Dream
Offline
|
| Posted: Tue Feb 08, 2005 3:47 pm Post maybe stupid Post subject: |
|
|
|
|
I don't understand that bug. Is Mozilla just substituting Unicode characters with ASCII ones that look similar for display? That's kind of stupid, actually.
_________________
This help is informational only. No representation is made or warranty given as to its content. User assumes all risk of use. Cyan~Fire assumes no responsibility for any loss or delay resulting from such use.
Wise men STILL seek Him. |
|
| Back to top |
|
|
CypherJF
I gargle nitroglycerin
Gender:
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline
|
| Posted: Tue Feb 08, 2005 5:28 pm Post maybe stupid Post subject: |
|
|
|
|
Not sure, but I'd imagine they'll come up w/ a solution to it, more quickly than the MS corp. would come up w/ for a bug such as this.
I'm not even sure if I'd call it a bug, because the system work's as it should; it's simply a way someone can exploit a working [ DNS ] system.
Well, I think it's part of the DNS system that's being exploited. :/ |
|
| Back to top |
|
|
SuSE
Me measures good
Joined: Dec 02 2002
Posts: 2307
Offline
|
| Posted: Tue Feb 08, 2005 7:23 pm Post maybe stupid Post subject: |
|
|
|
|
| imo this is a problem with the fucking stupid English-loving "look we're the US government so _we_ get the .gov TLD" bullshit inherent |
|
| Back to top |
|
|
Dr Brain
Flip-flopping like a wind surfer
Age:39
Gender:
Joined: Dec 01 2002
Posts: 3502
Location: Hyperspace
Offline
|
| Posted: Tue Feb 08, 2005 9:02 pm Post maybe stupid Post subject: |
|
|
|
|
| It *was* a United States Defense Department project that became the Internet. |
|
| Back to top |
|
|
D1st0rt
Miss Directed Wannabe
Age:38
Gender:
Joined: Aug 31 2003
Posts: 2247
Location: Blacksburg, VA
Offline
|
| Posted: Tue Feb 08, 2005 10:40 pm Post maybe stupid Post subject: |
|
|
|
|
true dat, army invented the internet in like the 70's
_________________
 |
|
| Back to top |
|
|
Phyran
I privately speak in public
Gender:
Joined: Dec 25 2003
Posts: 280
Offline
|
| Posted: Tue Feb 08, 2005 10:52 pm Post maybe stupid Post subject: |
|
|
|
|
| Al Gore: I invented the internet!! Bishes!! |
|
| Back to top |
|
|
CypherJF
I gargle nitroglycerin
Gender:
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline
|
| Posted: Tue Feb 08, 2005 10:53 pm Post maybe stupid Post subject: |
|
|
|
|
| '69; if I remember right. I did a huge research project on it. It's kinda hard to follow also because we weren't the only ones working on the project at the same time. |
|
| Back to top |
|
|
SuSE
Me measures good
Joined: Dec 02 2002
Posts: 2307
Offline
|
| Posted: Wed Feb 09, 2005 4:49 am Post maybe stupid Post subject: |
|
|
|
|
| this is all irrelevant, the way this internet is managed can be summed up in one word: gay |
|
| Back to top |
|
|
Mine GO BOOM
Hunch Hunch
What What
Age:42
Gender:
Joined: Aug 01 2002
Posts: 3616
Location: Las Vegas
Offline
|
| Posted: Wed Feb 09, 2005 11:39 am Post maybe stupid Post subject: Re: FireFox/Mozila rules your ass again...well, the crackers |
|
|
|
|
| Gravitron wrote: | | Next time you come to MGB, it wouldn't be MGB, because I fooled the DNS servs to goto mineg0b00m and uploaded my own pages to simulate MGB and it'll be full of trojans and virii and worms, and your PCs will be my zombies! |
You have no idea what you are talking about here, do you? No DNS servers get 'fooled' or anything, and the mineg0b00m was completely possible back in Win 3.11 days and earlier.
What this is, is that domain names support unicode charaters. So if you wanted to register the domain www.☺.com and use it. This is a new addition to allow other languages to have their characters supported for domain names. In the unicode character set, there is the problem that some of the letters in one section are identical to other letters, such as the Cyrillic 'а' and standard ASCII 'a'.
Why does this effect Firefox/everything except IE? Because its a standard for domain names, thus people added it to their browsers in which support the standards. So IE's reason for not having this 'bug'? As a friend of mine best said: Security through obsolescence.
So before you go knocking Firefox, just remember that this is the standard. Just because people can make links to www.paypal.com:securelogin.php@some-crappy-phiser-site.com doesn't mean that its the software's fault. I'm very happy with the way in which Firefox deals with these links, popping up a popup box warning instead of outright blocking like IE does. |
|
| Back to top |
|
|
Dr Brain
Flip-flopping like a wind surfer
Age:39
Gender:
Joined: Dec 01 2002
Posts: 3502
Location: Hyperspace
Offline
|
| Posted: Wed Feb 09, 2005 12:17 pm Post maybe stupid Post subject: |
|
|
|
|
Even if Firefox were just as buggy as IE (And it's not even close) I would still use it.
Firefox is a superior browser compared to IE. End of story. |
|
| Back to top |
|
|
CypherJF
I gargle nitroglycerin
Gender:
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline
|
| Posted: Wed Feb 09, 2005 2:05 pm Post maybe stupid Post subject: |
|
|
|
|
One thing my brother doesn't like is he likes Opra's session storing. Where you can close the browser, and re-open it where you left off. If the browser crashes, like Firefox does from time to time, it automatically reopens the pages you were at, etc [Or gives you the choice to start fresh, start where you left off, or open a saved session]. I know firefox slightly simulates this w/ the bookmark all tabbed pages, and open all bookmarks into tabs, but I dunno. He also has the issue of loading so many tabs that it's hard to navigate through em; and I'm because Opra is a MDI, the browser windows all fold up into title bars at the bottom. That's the other thing he doesnt like, he can't move the address bar, etc. to the bottom of the screen like he can w/ Op. lol.
Some thoughts, but meh. I still like firefox above the others; especially the user-defined filtering [ removing ads, w00t ].  It's like a God-save. lol.
Last edited by CypherJF on Wed Feb 09, 2005 5:04 pm, edited 1 time in total |
|
| Back to top |
|
|
Solo Ace
Yeah, I'm in touch with reality...we correspond from time to time.
Age:38
Gender:
Joined: Feb 06 2004
Posts: 2583
Location: The Netherlands
Offline
|
| Posted: Wed Feb 09, 2005 2:39 pm Post maybe stupid Post subject: |
|
|
|
|
| CypherJF wrote: | | One thing my brother doesn't like is he likes Oprah's session storing. |
Haha, stop watching the gay tv shows!
Are you sure that isn't a nasty typo?  |
|
| Back to top |
|
|
Gravitron
VIE Vet
Age:43
Gender:
Joined: Aug 02 2002
Posts: 993
Location: Israel
Offline
|
| Posted: Wed Feb 09, 2005 3:15 pm Post maybe stupid Post subject: |
|
|
|
|
| I do believe that the smart explorer (IE emulator with better compatibilities and featuers) also supports this crash-resistant security measure. |
|
| Back to top |
|
|
SuSE
Me measures good
Joined: Dec 02 2002
Posts: 2307
Offline
|
| Posted: Wed Feb 09, 2005 4:15 pm Post maybe stupid Post subject: |
|
|
|
|
| CypherJF wrote: | | One thing my brother doesn't like is he likes Oprah's session storing. |
There are a few different extensions that have session savers - no bloat for those who don't want it, there if you do.
| CypherJF wrote: | | and I'm because Oprah is a MDI, the browser windows all fold up into title bars at the bottom. |
...are you talking about tabbing?
| CypherJF wrote: | | That's the other thing he doesnt like, he can't move the address bar, etc. to the bottom of the screen like he can w/ Op. lol. |
Well holy shit. I guess you'd have to jump into the open source code and spend about 10 minutes changing that, now wouldn't you. Can't do that with Opera, though. |
|
| Back to top |
|
|
CypherJF
I gargle nitroglycerin
Gender:
Joined: Aug 14 2003
Posts: 2582
Location: USA
Offline
|
| Posted: Wed Feb 09, 2005 5:04 pm Post maybe stupid Post subject: |
|
|
|
|
| Solo Ace wrote: | [..]
Haha, stop watching the gay tv shows!
Are you sure that isn't a nasty typo? |
nasty typo indeed. i knew it didn't look right but i had to head off to class; i almost, almost just hit the X and said "screw it". LOL
| SuSE wrote: | | CypherJF wrote: | | One thing my brother doesn't like is he likes Oprah's session storing. |
There are a few different extensions that have session savers - no bloat for those who don't want it, there if you do. |
I'll tell him to look into it.
| SuSE wrote: | | CypherJF wrote: | | and I'm because Oprah is a MDI, the browser windows all fold up into title bars at the bottom. |
...are you talking about tabbing? |
No, with Opera you can minimize the internal browser windows in the parent frame. I'll take a screen shot here sometime and show you what I mean.
| SuSE wrote: | | CypherJF wrote: | | That's the other thing he doesnt like, he can't move the address bar, etc. to the bottom of the screen like he can w/ Op. lol. |
Well holy shit. I guess you'd have to jump into the open source code and spend about 10 minutes changing that, now wouldn't you. Can't do that with Opera, though. |
Well, yes. But, you have the option to move bookmarks around, buttons around, you should be able to move the address bar wherever you want as well.Same w/ the find feature.
I don't have any problem of how Firefox itself handles, I'm just telling you what my brother finds disappointing in it. Oh yeah, except I don't like how they [mozilla folks] didnt put the print in the right context menu; but no worries I have the plugin - erm extension - for that. |
|
| Back to top |
|
|
D1st0rt
Miss Directed Wannabe
Age:38
Gender:
Joined: Aug 31 2003
Posts: 2247
Location: Blacksburg, VA
Offline
|
| Posted: Wed Feb 09, 2005 8:16 pm Post maybe stupid Post subject: |
|
|
|
|
| The one thing I don't like is that when you're doing a find in a multiple framed document, it only searches in one frame |
|
| Back to top |
|
|
Mine GO BOOM
Hunch Hunch
What What
Age:42
Gender:
Joined: Aug 01 2002
Posts: 3616
Location: Las Vegas
Offline
|
| Posted: Wed Feb 09, 2005 10:16 pm Post maybe stupid Post subject: |
|
|
|
|
| Gravitron wrote: | | I do believe that the smart explorer (IE emulator with better compatibilities and featuers) also supports this crash-resistant security measure. |
They also support the easy to exploit ActiveX and many other unfixed security holes that IE uses. Until IE doesn't run as part of the operating system (it usually runs with system privledge part of the time), it won't be very secure.
Plus, if you are an IE user, you won't be able to visit all the cool sites. |
|
| Back to top |
|
|
Cyan~Fire
I'll count you!
Age:37
Gender:
Joined: Jul 14 2003
Posts: 4608
Location: A Dream
Offline
|
| Posted: Wed Feb 09, 2005 10:37 pm Post maybe stupid Post subject: |
|
|
|
|
| Why does a cool site which can't be viewed by IE have a WiMP plugin object on it? |
|
| Back to top |
|
|
Gravitron
VIE Vet
Age:43
Gender:
Joined: Aug 02 2002
Posts: 993
Location: Israel
Offline
|
| Posted: Thu Feb 10, 2005 12:27 am Post maybe stupid Post subject: |
|
|
|
|
You don't have activeX disabled?
Stupid. |
|
| Back to top |
|
|
SuSE
Me measures good
Joined: Dec 02 2002
Posts: 2307
Offline
|
| Posted: Thu Feb 10, 2005 5:28 am Post maybe stupid Post subject: |
|
|
|
|
| CypherJF wrote: | | No, with Opera you can minimize the internal browser windows in the parent frame. I'll take a screen shot here sometime and show you what I mean. |
s'okay I know what you mean - not sure I see the point |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Statistics
Register
Profile
Login to check your private messages
Login
Priit K. is in the news... again. 
