OT: Important Security Issue in Non-IE browsers

[Sivran]

Ironically IE is NOT affected by this vulnerability.

...but then unless it has the plugin for it, it doesn't support this anyway!

Thread at DSLReports Security: The state of homograph attacks

Brief Summary: browsers supporting Punycode/IDN are vulnerable to a URL spoofing attack that can easily fool less sophisticated and complacent users. The address bar will contain the expected url (in text, not an image even!) and even the https: protocol and lock icon can be spoofed.

The most disturbing part of the story is this: (emphasis mine)

Quote:

VI. Vendor Responses

Opera: They believe they have correctly implemented IDN, and will not be making any changes.

Proof of concept link:
http://www.shmoo.com/idn/

There is a workaround for Mozilla browsers but it only partially works. In the meantime I suggest you type in/use a bookmark and never click links in emails. As for Opera users, show your displeasure by pirating...oh wait, I mean, by switching to Mozilla.

[Spoo]

The fix for Firefix is pretty simple. Type aboutfig in the address bar. Scroll down until you see network.enableIDN then double-click it to change the value to false. This shouldn't hurt anything, since IE doesn't support this feature anyway (and the internet is IE-biased).

[Sivran]

As noted in the DSLReports thread, that workaround doesn't work correctly. The behavior doesn't stick, although the setting does still appear. It will hopefully be soon fixed.

There is another workaround for Mozilla browsers that involves editing another file. This post contains it. Also see this one.

There we go.

There's also a Proxo filter that Proxomitron users can add: This one