Here's some info. I saw....
If you're using Firefox you need to be very careful for possible phishing
problems. Apparently this problem doesn't hurt IE, but I checked it with my
Firefox and it *was* definitely a problem! Someone will exploit this and
cause a lot of problems. If you're using Firefox go to
http://www.shmoo.com/idn/ You will see a message:
This works in everything except IE (ha!)
<http://www.p%D0%B0ypal.com/>Click here to enter paypal
<https://www.p%D0%B0ypal.com/>Click here to enter paypal via ssl
The really scary one is via ssl.
Here is the fix given by http://www.boingboing.net/ (scroll down to "Shmoo
Group exploit: Own any domain, no defense exists."
1) Goto your Firefox address bar. Enter about:config and press enter.
Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is
International Domain Name support, and it is causing the problem here. We
want to turn this off -- for now. Ideally we want to support international
domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog
set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Because IE doesn't support International Domain Names natively. If you
have the i-Nav plug-in [ http://www.idnnow.com/ ] installed in IE to be
able to view international domains, you're just as vulnerable.
It works in every other browser, because they all implemeneted the IDN
standard natively.
This is problem in the standard, not the browser.
(To anybody else) Before shouting that the fix didn't work for you after
first visiting the spoof site, remember the browser cache. Your browser is
looking at the stored copy, not the actual site.
If you're using Firefox you need to be very careful for possible phishing
problems. Apparently this problem doesn't hurt IE, but I checked it with my
Firefox and it *was* definitely a problem! Someone will exploit this and
cause a lot of problems. If you're using Firefox go to
http://www.shmoo.com/idn/ You will see a message:
This works in everything except IE (ha!)
<http://www.p%D0%B0ypal.com/>Click here to enter paypal
<https://www.p%D0%B0ypal.com/>Click here to enter paypal via ssl
The really scary one is via ssl.
Here is the fix given by http://www.boingboing.net/ (scroll down to "Shmoo
Group exploit: Own any domain, no defense exists."
1) Goto your Firefox address bar. Enter about:config and press enter.
Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is
International Domain Name support, and it is causing the problem here. We
want to turn this off -- for now. Ideally we want to support international
domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog
set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.
Because IE doesn't support International Domain Names natively. If you
have the i-Nav plug-in [ http://www.idnnow.com/ ] installed in IE to be
able to view international domains, you're just as vulnerable.
It works in every other browser, because they all implemeneted the IDN
standard natively.
This is problem in the standard, not the browser.
(To anybody else) Before shouting that the fix didn't work for you after
first visiting the spoof site, remember the browser cache. Your browser is
looking at the stored copy, not the actual site.
