# Phishing Vulnerability Found In KHTML & Gecko Browsers

## zerojay

http://chrisnowak.org/comments.php?id=24_0_1_0_C

I tested the links provided there on Konqueror and sure enough, it's vulnerable. Apparently just about every last browser except IE is vulnerable to this problem (because IE never implemented the feature that is the cause for this hole).

----------

## hensan

Well that's no good  :Confused: 

Good thing you can disable IDN in Mozilla based browsers.

Interesting reply shmoo got from the Opera folks:

 *Quote:*   

> They believe they have correctly implemented IDN, and will not be 
> 
> making any changes.

 

----------

## Pink

Thanks for letting us know about this.

In case people don't know how to change the settings:

You can change the idn setting by typing

```
about:config
```

 in a new tab.

Then enter:

```
enableIDN
```

 in the filter.

Simple double click the 'enableIDN' entry to set it to false.

Then try the 'paypal' links again. You will not be able to load them.

I think this is a pretty bad vulnerability, but at least you can do something about it.

----------

## hensan

Hmm, the workaround doesn't seem to work very well. After you restart the browser it resolves IDN addresses just fine again, even though network.enableIDN is still false in about:config  :Confused: 

----------

## Pink

Yes, you're not wrong. Not too happy about that.

----------

## Red Sparrow

Great, somebody found yet another way to crap up the Internet.  I bet Microsoft sees this as the perfect opportunity to tell us all about how open-source software is riddled with security flaws and how IE is perfectly secure in every way.

(- Steve -)

----------

## Flammie

Uhmm... if you disable IDN you will also lose access to all Internationalized Domain Names, isn't that correct? I think this workaround isn't really usable for lots of people, but the situation is kind of tricky for the web browser's developer point of view.

----------

## j-m

 *Flammie wrote:*   

> Uhmm... if you disable IDN you will also lose access to all Internationalized Domain Names, isn't that correct? I think this workaround isn't really usable for lots of people, but the situation is kind of tricky for the web browser's developer point of view.

 

Lots of people? C´mon. MS IE does not support this, so where are the IDN crowds?  :Laughing: 

BTW, this is NOT browser problem, this is IDN problem. Pretty useless idea anyway, seems also extremely dangerous now.   :Mad:   :Evil or Very Mad: 

----------

## kallamej

See also https://forums.gentoo.org/viewtopic.php?t=292283

----------

## Flammie

 *j-m wrote:*   

> Lots of people? C´mon. MS IE does not support this, so where are the IDN crowds?  

 

Some milliard people in China pops in to mind, as well as few more in Japan, and other parts of Asia as well. Using ASCII domain names is a big and problematic limitation to a lot of average users in non-USASCII world, but I guess that doesn't count for self-absorbed Americans   :Rolling Eyes: 

----------

## j-m

 *Flammie wrote:*   

>  *j-m wrote:*   Lots of people? C´mon. MS IE does not support this, so where are the IDN crowds?   
> 
> Some milliard people in China pops in to mind, as well as few more in Japan, and other parts of Asia as well. Using ASCII domain names is a big and problematic limitation to a lot of average users in non-USASCII world, but I guess that doesn't count for self-absorbed Americans  

 

First of all, I am NOT an American at all.

Seconds - IDNs limit useability of internet - how on earth am I supposed to type Chinese/Japanese on US keyboard with locales set to English? Using punny code? Oh great, what a "solution".  :Rolling Eyes: 

Third: Maybe you should see 

http://james.seng.cc/archives/2005/02/08/idn_and_homographs_spoofing.html first and then talk...  This is the same stupid thing which breaks RFCs like when Verisign put A records for COM and NET in their root DNS servers...   :Rolling Eyes:   :Evil or Very Mad: 

----------

## Flammie

 *j-m wrote:*   

> Seconds - IDNs limit useability of internet - how on earth am I supposed to type Chinese/Japanese on US keyboard with locales set to English? Using punny code? Oh great, what a "solution".  

 

Why would you want to go to Chinese/Japanese-only website if you don't even know how to type Chinese/Japanese? It can be done even with US keyboard and English locale. 

Will you next complain that your usability is limited because you can't understand kanji on those chinese sites?

 *Quote:*   

> http://james.seng.cc/archives/2005/02/08/idn_and_homographs_spoofing.html first and then talk...  This is the same stupid thing which breaks RFCs like when Verisign put A records for COM and NET in their root DNS servers...   

 

Ok, I read it. What should I think now? I've always known verisign sucked a big deal.

Or perhaps I should present it like this   :Arrow:   :Rolling Eyes:   :Laughing:   :Laughing:   :Rolling Eyes:   :Twisted Evil:   :Question:   :Wink: 

----------

## j-m

 *Flammie wrote:*   

> 
> 
> Why would you want to go to Chinese/Japanese-only website if you don't even know how to type Chinese/Japanese? It can be done even with US keyboard and English locale. 
> 
> 

 

Contrary to what you may think or believe, people are often going to Japanase "only" sites either to search/download drivers (think Windows users) or to read some howtos (I have seen some excellent postfix and other howtos there) - b/c configuration files examples are still in English and this is often enough. People also need to send email - sorry, you may be a genius but I am not able to type email address in Japanese on my English keyboard and I really don´t want to, as well. 

Looking at your post, you must of course welcome wholeheartedly when someone sends you an email attachment with Chinese/Japanese/Arabic characters in file name - what a joy to work with such files (like move/rename them, etc.) Excellent idea!

OK, I´m not going to waste more time on this, IDNs are evil, it is a totally useless thing with the only purpose of generating more money for registrars. Period. 

 :Rolling Eyes: 

----------

## bbroeksema

 *hensan wrote:*   

> Hmm, the workaround doesn't seem to work very well. After you restart the browser it resolves IDN addresses just fine again, even though network.enableIDN is still false in about:config 

 

Same problem here indeed. Is there no workaround for this?

----------

## Flammie

 *j-m wrote:*   

> Contrary to what you may think or believe, people are often going to Japanase "only" sites either to search/download drivers (think Windows users) or to read some howtos (I have seen some excellent postfix and other howtos there)

 

I don't still assume people will find such a sites for language unknown to them by manually typing something to addressbar in character set that is unknown to them, I'd say in 99.9% of these cases happen via google or by clicking a link or so. 

If there's a commercial manufacturer of international products that serves drivers only on taiwanese web site, I'd think that will hurt their business even if the site name was latin translitteration or such.

 *Quote:*   

> People also need to send email - sorry, you may be a genius but I am not able to type email address in Japanese on my English keyboard and I really don´t want to, as well. 

 

I'd again guess, that people who want to get email from English-speaking audiences would have email address that's accessible to them. 

 *Quote:*   

> Looking at your post, you must of course welcome wholeheartedly when someone sends you an email attachment with Chinese/Japanese/Arabic characters in file name - what a joy to work with such files (like move/rename them, etc.) Excellent idea!

 

Yes, I have been using Unicode filesystems for longer than they have been usable now, my shell provides great tab-completion and I even have some graphical filemanagers to use, not to mention the fact that my revolutionary mail program has possibility to save attachments with filename different than suggested in headers.

There's by the way longish discussion on issue in mozilla's bug database which will explain a bit more why it is so problematic: https://bugzilla.mozilla.org/show_bug.cgi?id=279099

----------

## j-m

 *Flammie wrote:*   

> 
> 
> Yes, I have been using Unicode filesystems for longer than they have been usable now, my shell provides great tab-completion and I even have some graphical filemanagers to use, not to mention the fact that my revolutionary mail program has possibility to save attachments with filename different than suggested in headers.
> 
> 

 

Ok, your revolutionary shell has not unfortunately made it to everyone yet; nor has you revolutionary tab-completion and email system. Honestly, I think that other people don´t care about those revolutions at all. Take it as you want, but I don´t want to deal with this crap at all.

----------

## converter

 *hensan wrote:*   

> Hmm, the workaround doesn't seem to work very well. After you restart the browser it resolves IDN addresses just fine again, even though network.enableIDN is still false in about:config 

 

I've seen comments from several users who said they had to clear the disk cache before they noticed the effect of the disabled IDN support.

In my case, the setting worked immediately, but firefox 1.0 (r3) was not dumping the pref to prefs.js, so it didn't stick between sessions. I added the pref manually, and no problems after that.

----------

## Pink

 *converter wrote:*   

> I've seen comments from several users who said they had to clear the disk cache before they noticed the effect of the disabled IDN support.
> 
> In my case, the setting worked immediately, but firefox 1.0 (r3) was not dumping the pref to prefs.js, so it didn't stick between sessions. I added the pref manually, and no problems after that.

 

It's set in my prefs.js as well but it still ignores it on a restart. I'm just being careful at the moment. I doubt I will come across a site that I can't spot but I will wait until a 'solution' is found (if one ever is).

There was an interesting article on this yesterday (I can't remember where though, sorry) showing recent domain name purchases. One guy in the US has brought three 'paypal' sites this week alone. Watch this space for people being duped!

----------

## Herring42

I think the main thing is to never trust links that are provided.

If you always type by hand those 'important' links - banking, ebay etc - You will not get exploited. Even from a new exploit that no one knows about yet.

----------

## petu

I tried the https and http link with konqueror 3.3.2 and konqueror showed the http link so that there was a risk of phishing (when looking the addressbar carefully it can be seen that a is somehow weird). When using https konqueror warned that "the ip address of host https://www.paypal.com does not match the one the certificate was issued to"

----------

## Flammie

 *j-m wrote:*   

> Ok, your revolutionary shell has not unfortunately made it to everyone yet; nor has you revolutionary tab-completion and email system. Honestly, I think that other people don´t care about those revolutions at all. Take it as you want, but I don´t want to deal with this crap at all.

 

Yes, I think I already got that You don't want anything to do with it and I couldn't personally care less whether You touch Unicode-encoded filenames with Your email software or not, but there are more people in the world than You, and some of them do appreciate if they can use the character set they want and are comfortable with in the Internet. Actually restricting whole world to US-ASCII charset just because You don't like other charsets isn't all that good argument, is it?

----------

## Flammie

 *petu wrote:*   

> I tried the https and http link with konqueror 3.3.2 - -. When using https konqueror warned that "the ip address of host https://www.paypal.com does not match the one the certificate was issued to"

 

It's too unfortunate that average users have already learned to click yes-yes-agree-agree to these certificate problems without looking.

Of course the problem here is that browsers will always display similar warning if it doesn't recognize the certificate issuer, and the widely recognized issuers at the moment are commercial companies selling overpriced certificates.

----------

## j-m

 *Flammie wrote:*   

> Actually restricting whole world to US-ASCII charset just because You don't like other charsets isn't all that good argument, is it?

 

Actually forcing everyone to use IDNs and break things just because you like it isn´t all that good argument, is it?   :Rolling Eyes: 

----------

## Flammie

 *j-m wrote:*   

>  *Flammie wrote:*   Actually restricting whole world to US-ASCII charset just because You don't like other charsets isn't all that good argument, is it? 
> 
> Actually forcing everyone to use IDNs and break things just because you like it isn´t all that good argument, is it?  

 

Umm, what? If there's a possibility to register IDNs no one's forcing you to do so, denying the possibility implies forcing, allowing it doesn't imply forcing on using them. Common sense can also be applied here. Even if I could post all my posts here in unicode I don't do so, can you guess why?

----------

## j-m

 *Flammie wrote:*   

> 
> 
> Umm, what? If there's a possibility to register IDNs no one's forcing you to do so, denying the possibility implies forcing, allowing it doesn't imply forcing on using them. Common sense can also be applied here. 

 

Oh sure - common sense says me that if someone has IDN-ized URL or email address I am forced to take it or leave. Safe for the fact that only idiot would resort to using IDNs only because of the incompatibility and problems discussed above. I.e., the real benefit for users: none, the real benefit for registrarars: $.$$$.$$$. 

If you can´t see it, then you must be probably blind.  :Rolling Eyes: 

P.S. In my mother language, this presents a real problem, companies would have to register lots of domain to prevent others from misleading their customers. These are the domains they would not need or use otherwise. For instance:

```

domena.cz

domená.cz

doméná.cz

dóméná.cz

dómena.cz

dóména.cz

domìna.cz

dómìna.cz

dómìná.cz

```

This means: lots of money in registrars pocket, the real benefit for these companies - virtually zero, nothing but problems and costs.   :Rolling Eyes: 

----------

## Flammie

 *j-m wrote:*   

> Oh sure - common sense says me that if someone has IDN-ized URL or email address I am forced to take it or leave.

 

Yes, and you decided to leave it. So?

 *Quote:*   

> I.e., the real benefit for users: none, the real benefit for registrarars: $.$$$.$$$. 

 

I really couldn't care less if commercial corporations needing both localized and ASCIIfied domain registration are gonna get hit by this. If some evil corporations gonna die because of paying 20$ a year for domains instead of 5$ then good riddance.

 *Quote:*   

> If you can´t see it, then you must be probably blind.  

 

If you don't see the benefit, you are truly blind! (this blindness is not a blessing)   :Rolling Eyes:   :Rolling Eyes:   :Rolling Eyes: 

 *Quote:*   

> P.S. In my mother language, this presents a real problem, companies would have to register lots of domain to prevent others from misleading their customers. These are the domains they would not need or use otherwise. For instance:
> 
> ```
> 
> domena.cz
> ...

 

Yes, this is the thing this whole discussion so far has been about, on local level however, it can be solved, since top level domain names are registered and controlled on government level, you should just ask your local politicians to prevent spoofing registrations in the way mentioned above and perhaps even ask for free registration of alternate spellings. This is what is currently being planned on Finnish government level as well as in European parlament, IIRC.  The biggest problem is that this should've been controlled by .{com,org,net,...} registrars as well, but it wasn't.

----------

## j-m

 *Flammie wrote:*   

> 
> 
> If you don't see the benefit, you are truly blind! (this blindness is not a blessing)    
> 
> 

 

No, I don´t see any benefit in breaking the things that work.

No, I don´t see any benefit from sponsoring registrars involuntarily.

No, I don´t see any benefit from having to register several times more domains, than I would have to otherwise. 

No, I don´t see any benefit from opening yet another way of phishing. 

Discussion finished from my side...   :Exclamation: 

----------

## Flammie

 *j-m wrote:*   

> No, I don´t see any benefit in breaking the things that work.
> 
> No, I don´t see any benefit from sponsoring registrars involuntarily.
> 
> No, I don´t see any benefit from having to register several times more domains, than I would have to otherwise. 
> ...

 

You don't see any benefit in potential flaws? Wow, so now we might even think that you follow some sort of logic. Isn't that a-cool.

 *Quote:*   

> Discussion finished from my side...  

 

And this you said couple of messages ago, but I guess it's hard to be logical all the time after all.

----------

## Carlo

Why do we have domain names? Because it's far simpler, than memorizing IPvX numbers. Even if you could distinct the different characters: Memorizing all combinations of all alphabets available via Unicode or whatever you choose to represent these languages is not possible. Hiding the complexity from the user is nearly impossible as well. All the approaches to do this, will (try to) minimize the problem at best.

I think IDN is another step, forcing the divide of the web in a trusted (commercial) and untrusted part. Maybe we end up with browsers, which disable the connection to untrusted sites by default.

----------

## Pink

Update available (suck on that MS!).

http://www.mozilla.org/products/firefox/releases/

Summary:

 *Quote:*   

> Here's what's new in Firefox 1.0.1:
> 
>     * Improved stability
> 
>     * International Domain Names are now displayed as punycode.
> ...

 

 :Very Happy: 

----------

