Sign In
Register
Help
A dangerous spoofing security hole has been found in almost every browser on the market -- except one. Mozilla, Firefox, Safari, OmniWeb, Opera and Netscape all suffer from the "moderately critical" vulnerability that allows the spoofing of address bar URLs and SSL certificates, but, incredibly Microsoft Corp.'s Internet Explorer gets a clean bill of health. more
Firefox, Safari, others struck by spoofing flaw
MultiQuote
#2
macnut222 
- Member
-
- Group: Members
- Posts: 17
- Joined: 22-December 04
Posted 08 February 2005 - 09:57 AM
For Safari users, check this out. It's not a fix, but it will tell you when the link you clicked on is spoofed.
http://haoli.dnsalia.../Saft/Download/ (Look for "Saft Lite")
http://haoli.dnsalia.../Saft/Download/ (Look for "Saft Lite")
#4
macFanDave
- Member
-
- Group: Members
- Posts: 777
- Joined: 04-March 04
Posted 08 February 2005 - 11:18 AM
Isn't Safari based on Konqueror (KHTML)?
#7
dbutenhof
- Member
-
- Group: Members
- Posts: 259
- Joined: 15-September 04
Posted 08 February 2005 - 01:21 PM
In reply to:
Isn't Safari based on Konqueror (KHTML)?
Isn't Safari based on Konqueror (KHTML)?
More or less. Apple took the open source renderer, enhanced it, and used it as the basis for WebCore, which is the core of Safari. KDE absorbed the open source changes; so given sufficiently recent Konqueror, the rendering code for it and Safari are essentially identical. This source base has no substantial direct influence from or on Gecko; so characterizing these as a single family is misleading.
I wonder if the difference is that Windows IE uses unicode while the others are ASCII based?
#9
richcon
- Member
-
- Group: Members
- Posts: 154
- Joined: 08-February 05
Posted 08 February 2005 - 02:27 PM
Actually, though the article pins the blame on Gecko, it seems to affect ALL modern browsers regardless of which engine they use, so long as they support the international domain name standard (which is intended to allow domain names to be in their native languages, and uses Unicode for the text encoding). This includes Gecko-based browsers, KHTML-based browsers, and even Opera. Microsoft's browser is excluded because they don't adhere to that standard.
The problem is that Unicode includes several identical-looking characters with different numerical codes. They look the same to humans but different to computers.
Their test case puts 'http://www.paypal.com/' in the address bar, but the second 'a' in paypal is actually an extended Unicode character that looks like a normal 'a'. Browsers that display Unicode domain names display it correctly, while IE, which doesn't support Unicode domain names, displays gibberish: 'http://www.paypl.com/'.
The security flaw seems to be in the standard itself. The only thing that saved Microsoft here is that their standards support is so out of date.
The problem is that Unicode includes several identical-looking characters with different numerical codes. They look the same to humans but different to computers.
Their test case puts 'http://www.paypal.com/' in the address bar, but the second 'a' in paypal is actually an extended Unicode character that looks like a normal 'a'. Browsers that display Unicode domain names display it correctly, while IE, which doesn't support Unicode domain names, displays gibberish: 'http://www.paypl.com/'.
The security flaw seems to be in the standard itself. The only thing that saved Microsoft here is that their standards support is so out of date.
#13
Escamillo
- Member
-
- Group: Members
- Posts: 39
- Joined: 11-September 04
Posted 08 February 2005 - 04:47 PM
Well, the IDN standard itself is flawed and is a feature that should be killed. /forums/ubbthreads/images/graemlins/grin.gif
Many of the Windows security problems in the 90's were due to it's having useful features that could be exploited for evil. Things like making it too easy to open certain types of email attachments (like executables). This was a very useful feature until it started to be exploited. With everyone screaming "security over features" in their ears, Microsoft severely crippled that feature so that now "dangerous" attachments must be sent as zip files, opened, and then run. Some attachments are just removed altogether. Yes, it's a lot safer but also much more inconvenient.
Well, this IDN feature was something that sounded good, but it's exploitable, so it too must be killed (or crippled, or made to look ugly (some of the proposals that slashdot folks are making are to use different color fonts for different character sets blech)).
Many of the Windows security problems in the 90's were due to it's having useful features that could be exploited for evil. Things like making it too easy to open certain types of email attachments (like executables). This was a very useful feature until it started to be exploited. With everyone screaming "security over features" in their ears, Microsoft severely crippled that feature so that now "dangerous" attachments must be sent as zip files, opened, and then run. Some attachments are just removed altogether. Yes, it's a lot safer but also much more inconvenient.
Well, this IDN feature was something that sounded good, but it's exploitable, so it too must be killed (or crippled, or made to look ugly (some of the proposals that slashdot folks are making are to use different color fonts for different character sets blech)).
#14
macnuke
- Power User
-
- Group: Members
- Posts: 6,934
- Joined: 05-March 04
Posted 08 February 2005 - 05:08 PM
then again.. personally, I either enter my secured pages by typing them or by a previously created bookmark... never from a link. maybe I am paranoid.
m /forums/ubbthreads/images/graemlins/grin.gif
m /forums/ubbthreads/images/graemlins/grin.gif
