[webwithout-ie] article: Phishing flaw a danger to alternative browsers:
- From: "david poehlman" <david.poehlman@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: <webwithout-ie@xxxxxxxxxxxxx>
- Date: Mon, 7 Feb 2005 21:58:15 -0500
A chink in our armor?
Jonnie Apple Seed
Phishing flaw a danger to alternative browsers
Published: February 7, 2005, 1:17 PM PST
By
Robert Lemos
Staff Writer, CNET News.com
A security weakness in a standard for handling special character sets in
domain names
could let an attacker spoof Web sites on non-Microsoft browsers, a
researcher has
warned.
The problem arises because certain browsers support a standardized way of
representing
domain names in the letters or characters of any language, security expert
Eric Johanson
said at the ShmooCon hacker convention this weekend. Called
Internationalized Domain Names
, the standard allows companies to register domain names that appear to be
the same
in different languages.
That encoding scheme could enable an attacker to create a fake Web site for
a phishing
scam. A spoofed link would seem to be a legitimate URL in the address bar of
affected
browsers--Opera, Apple Computer's Safari, and the Mozilla and Firefox
browsers from
the Mozilla Foundation. But instead of taking the victim to the trusted
site, the
link would lead to a phony Web site with a domain rendered as the same
address under
the IDN process.
The Mozilla Foundation is looking for a long-term solution to the issue,
Chris Hofmann,
director of engineering at the company, said in a statement.
"With the increase in phishing attacks, there is a growing concern that
exploits
could take advantage of this feature to trick users into visiting rogue
sites," Hofmann
stated. "Mozilla is looking at options for fixing or disabling this feature
and should
have more information available very soon."
Phishing attacks
, which try to fool consumers into handing over sensitive information by
creating
legitimate-looking Web sites and e-mail messages, have become a central
security
concern recently. While vulnerabilities in Microsoft's Internet Explorer
have been the focus
of much of the concern,
other browsers
also have had their fair share of flaws.
The security weakness in the IDN scheme comes as registrars push for support
for
expressing domain names in different languages and scripts.
"There are now many ways to display any domain name on a browser, as there
are a
huge number of (character sets) which look very similar to Latin
(characters)," Johanson
said in an advisory
.
The advisory
demonstrates the attack
using the domain for PayPal, but using an alternate Unicode character for
the first
"a." That gives an address that looks like "http://www.pàypal.com,"; but with
a smaller
"a."
Details of the flaw were shown at ShmooCon, a hacking and computer security
convention,
in Washington D.C., last weekend. The Shmoo Group, a loose association of
security
professionals that runs the convention, notified the affected browser makers
in mid-January.
Johanson is a member of the Shmoo Group.
Apple, VeriSign and Opera Software could not immediately be reached for
comment.
Microsoft has not implemented support for IDN yet, so its IE browser is not
vulnerable
to the flaw.
Browser security is gaining attention among software makers. In December,
Internet
security company Netcraft
released an IE plug-in
that it said could help people avoid becoming victims of online fraud. In
addition,
Netscape announced last month that it is getting ready to release a
browser designed to resist phishing
attacks.
***list info***
This is the accessible web withoutinternet explorer discussion list.
to change your subscription options or to unsubscribe, point your favorite
browser to:
//www.freelists.org/list/webwithout-ie
You can view this list's archives and rss feed at:
//www.freelists.org/archives/webwithout-ie
for unsubscribing, you can also send a message with the word unsubscribe in the
subject line leaving the rest of the message blank to:
webwithout-ie-request@xxxxxxxxxxxxx
and you will need to respond to the confirmation message you recieve in order
to be removed from the list.
for subscribing or resubscribing
you can also send a message with the word subscribe in the subject line leaving
the rest of the message blank to:
webwithout-ie-request@xxxxxxxxxxxxx
and you will need to respond to the confirmation message you recieve in order
to be added to the list.
To contact list management, write to:
webwithout-ie-admins@xxxxxxxxxxxxx
***end of list info***
Other related posts:
- » [webwithout-ie] article: Phishing flaw a danger to alternative browsers:
