Your message dated Fri, 29 Oct 2010 19:32:32 +0200
with message-id <[email protected]>
and subject line Re: Bug#580940: Firefox does not show arabic domains but
unreadable Puny-Code
has caused the Debian Bug report #580940,
regarding Firefox does not show arabic domains but unreadable Puny-Code
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
580940: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580940
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: firefox
Severity: minor
Hello Maintainer,
I have a customer which has an arabic Puny-Code domain on my server
which is now working but firefox show a security problem.
I had already ask on the apache mailinglist but:
----[ STDIN ]-----------------------------------------------------------
Am 2010-05-09 14:10:32, hacktest Du folgendes herunter:
> On 5/9/2010 7:38 AM, Michelle Konzack wrote:
> > since some days there are puncodes available for three arabic TLDs and I
> > like to now, what must I do that if I type for example the domain
> > "تامايدوجان.سى" <tamay-dogan.sa> that it stay like this and does not
> > change back to this crappy looking punicode domain.
>
> I believe this is entirely under the wisdom of your browser, since httpd does
> nothing to influence the display of the URL bar. It wouldn't be added,
> because
> the allowing the servers to obscuficate the URL bar would be a huge security
> issue with website impersonation.
And for what do you think are Puny-Code domains usefull?
I mean, someone using a Puny-Code Domains from the UE or SA know, the
domains generaly are only accesible for peoples reading/writing arabic.
So why does the webbrowser accept if I type the arabic domain name and
then switch to the unreadable Puny-Code stuff?
Switching to the unreadable own is a security risc, because Now one know
what the domain is but if the Webbrowser let it arabic, I can check it
all the time.
I think, a webbrowser should not change the shown domain to something no
one understand...
------------------------------------------------------------------------
So, I see this as a security problem because the translated Puny-Code is
unreadable and no one can check, what the URL bar say. This can lead to
a man in the middle attack.
Firefox should show the domain as it is, in this case in ARABIC.
Note: The same problem applies to other Puny-Code domains too.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack Gesch. Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber [email protected]
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
--- End Message ---
--- Begin Message ---
Version: 3.5.14-1, 3.6.11-1
On Mon, May 10, 2010 at 08:35:22AM +0200, Mike Hommey wrote:
> On Mon, May 10, 2010 at 07:57:49AM +0200, Mike Hommey wrote:
> > On Mon, May 10, 2010 at 02:14:15AM +0200, Michelle Konzack wrote:
> > > Package: firefox
> > > Severity: minor
> > >
> > > Hello Maintainer,
> > >
> > > I have a customer which has an arabic Puny-Code domain on my server
> > > which is now working but firefox show a security problem.
> >
> > (snip)
> >
> > Go to about:config and add a boolean value network.IDN.whitelist.xn--wgbh1c
> > to true. The problem is that IDN support works by whitelist, and as
> > such, it doesn't support the new egyptian tld yet.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=564213
> https://bugzilla.mozilla.org/show_bug.cgi?id=563309
These TLDs were added to latest releases in unstable and experimental.
There should be a stable-proposed-update rollup some day.
Mike
--- End Message ---
