Reading News Comments

A new exploit has been discovered (demo, advisory) which allows an attacker to redirect seemingly innocent HTML links to arbitrary destinations with little risk of being detected by the user. The URL of the spoofed domain will show up correctly in the address bar.

Do take precautions and disable IDN support in your browser now. To do so in Firefox, type about:config in the address bar and set the entry network.enableIDN to false.

Users of Internet Explorer are not affected unless they installed plugins to enable IDN support.

'Yeah, That's what Jesus would do. Jesus would bomb Afghanistan. Yeah.' - snowlion

Aww crap. And what sucks even more, IDNs were basically a very good idea.

"God is dead." - Nietzsche, 1882 "Nietzsche is dead." - God, 1900

Aww crap. And what sucks even more, IDNs were basically a very good idea.

I'm sorry, I know you registered one.

'Yeah, That's what Jesus would do. Jesus would bomb Afghanistan. Yeah.' - snowlion

Thanks. :-)

It's not so much my domain (it's never been heavily used anyway, as 99% of all IE users are locked out anyway) as the fact that something really cool has a problem big enough to question its raison d'être, so to speak.

Short of flashing a warning icon when visiting an IDN and/or refusing to trust secure connections to IDNs (which would restrict the ability to be 'trustworthy' to traditional domain names), does anybody have an idea how this problem could be solved? There are probably a gazillion possible ways of creating two different IDNs which look exactly the same in the address bar. Oh, the joys of Unicode.

"God is dead." - Nietzsche, 1882 "Nietzsche is dead." - God, 1900

Umm, sorry, I use Opera but don't understand what you wrote. Do I have to care about something?

"Sie wollen nichts anderes. Sie wollen kämpfen! Sie sind Soldaten! Fucking Wahnsinnige!" - Noel G.

Umm, sorry, I use Opera but don't understand what you wrote. Do I have to care about something?

You click on what looks like a link to your bank, but actually arrive on a criminal's site that merely looks like the one of your bank. And you cannot find out if it's the real or faked thing by looking at the address bar.

'Yeah, That's what Jesus would do. Jesus would bomb Afghanistan. Yeah.' - snowlion

Could this have had anything to do with my attack? My poor alien, it got tagged... *tear*

Oh well, it was time for another kitten anyway!

I should be ashamed of myself.

You should be fine as long as you don't follow a manipulated link. As long as you enter an address manually or visit one of your bookmarks, manipulation is not possible (unless somebody intercepts your network traffic, in which case a manipulated URL is the least of your problems).

"God is dead." - Nietzsche, 1882 "Nietzsche is dead." - God, 1900

What exactly is an IDN? And what does it do?

Thanks for the warning.

Please contiune to vote AND post.

What exactly is an IDN? And what does it do?

In short - 'traditional' domain names only allow the use of the letters a-z, numbers, and some limited use of the dash (-) and (sometimes) underscore (_). IDN stands for "Internationalized Domain Names" and is a system which allows the use of Unicode characters, i.e. every character or symbol known, in domain names. German people get umlauts, japanese people could theoretically reserve domain names with kanji in them.

The swiss domain registrar SWITCH has a good introduction to IDNs.

"God is dead." - Nietzsche, 1882 "Nietzsche is dead." - God, 1900