• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

All your SSL are belong to us!

L

Lifted

Diamond Member
[Edit]

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5

"Every recent gecko/khtml based browser implements IDN (which is just about every browser except for IE; plug-in are available)."

[/Edit]


http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html

Shmoo Group exploit: 0wn any domain, no defense exists

Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon." Link (Thanks, Pablos!)


 
Just disable IDN support.

Put about:config into the URL bar
Filter on network.enableIDN
Change true to false.
 
Yes, that is supposed to work in firefox, which makes it a good solution for the non IE, english speakers of the world.
 
"All browser URL spoof... no fix" Since this does not affect IE (which is still 80+% of the browsers used), saying this is an 'all brower' issue is false.

Bill
 
I didn't realize that IE didn't have IDN support. Maybe Microsoft actually noticed this would be an issue.
 
Originally posted by: Lifted
I didn't realize that IE didn't have IDN support. Maybe Microsoft actually noticed this would be an issue.
Click to expand...
Probably not considering they missed a shedload of other vulnerabilities and are forever patching IE to make it less insecure.
 
I haven't read this fully but is this like a security risk for anybody? I mean, do i need to make any changes to my browser or am I ok? From what it looks like it just looks like you have the opportunity to take over paypal or whatever. like i said, i didn't read it all, and i got lost following the links.

Thanks

P.S.
I use Firefox almost exclusively now, except for problems loading some pages and winupdates, i use IE for those.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top