Re[2]: IDN problem.... :(

From: Karl Pentzlin (karl-pentzlin@acssoft.de)
Date: Fri Feb 11 2005 - 17:52:31 CST

  • Next message: Patrick Andries: "Re: IDN problem.... :("

    There are other ways to protect the user from entering sensible
    information on spoof pages than visually marking the script of the
    single URL letters in the browser display.
    The companies which supply internet security tools (or the
    organisations which supply the browsers) will surely find ways which
    are OT here, e.g. showing whois information at a prominent place.
    Look e.g. at http://toolbar.netcraft.com/ for an example of spoof
    protection which is already available.

    Karl Pentzlin
    AC&S Analysis Consulting & Software GmbH
    Schongau, Bavaria, Germany

    --
    Am Donnerstag, 10. Februar 2005 um 23:48 schrieb John Burger:
    JB> Frank Yung-Fong Tang wrote:
    >> Any one have any comment about
    >> https://bugzilla.mozilla.org/show_bug.cgi?id=279099
    JB> Here's a popular press description of the problem
    JB>    http://www.macworld.com/news/2005/02/08/spoof/index.php
    JB> which points to a test for it at Secunia.com.  (They registered 
    JB> paypal.com spelled with a Cyrillic "a".)  Ironically, IE doesn't fall
    JB> for the spoof, because it apparently doesn't handle IDNs.  Of course,
    JB> from a user interface perspective, browsers need to do something about
    JB> this, but I find it annoying that it's described as a "security flaw".
    JB> My browser doesn't warn me about g00g1e.com yet, either.
    JB> - John D. Burger
    JB>    MITRE
    


    This archive was generated by hypermail 2.1.5 : Fri Feb 11 2005 - 17:53:15 CST