Re: browser security flaws not being addressed

To: debian-user@lists.debian.org
Subject: Re: browser security flaws not being addressed
From: Shaun Lipscombe <shaun.lipscombe@gmsl.co.uk>
Date: Tue, 22 Feb 2005 15:42:37 +0000
Message-id: <[🔎] 20050222154237.GA22566@mail.gasops.co.uk>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] opsmlr0n1kh3gn5m@localhost>
References: <[🔎] opsmlr0n1kh3gn5m@localhost>

* paul wrote:

> I'm surprised it's taking so long for the mozilla (and opera) folks to  
> address these security issues, which sound pretty severe, if you're doing  
> banking and such on line.
> 
> http://www.theregister.co.uk/2005/02/07/browsers_idn_spoofing/
> 
> http://itmanagement.earthweb.com/secu/article.php/3440971

This is NOT a browser flaw per se IDN is just a stupid idea! What an
easy way to allow people to spoof domains and certificates!

The folks at opera have alledgedly said, according to one online
resource, that they have correctly implemented IDN and will not be
making any changes. I quite believe they have implemented IDN correctly,
that was never in question.

In the meantime any URL with xn-- in it should be avoided unless you
know the implications.

To disable IDN support in firefox:
http://friedfish.homeip.net/extensions/no-idn.xpi

and a trustbar for firefox which shows IDN/SSL info:
http://trustBar.mozdev.org

YMMV,HTH,

Shaun

Reply to:

References:
- browser security flaws not being addressed
  - From: paul <paula4l@access4less.net>

Prev by Date: Re: Changing IP
Next by Date: Re: question on hotplug/udev
Previous by thread: browser security flaws not being addressed
Next by thread: Re: browser security flaws not being addressed
Index(es):
- Date
- Thread