Boris Zbarsky wrote:
Jean-Marc Desperrier wrote:
Which blacklist ? There's a blacklist inside the browser ?
Yes. See
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/modules/libpref/src/init/all.js&rev=3.762&mark=704-708#704
I'm left with the feeling this really should have been more widely
documented.
The existence of that protection was really hard to guess from the
tld-idn-policy-list.html page :
- this did not stop Moxie Marlinspike from finding U+2571 was not
protected and using it in an attack demonstration
- this did stop anyone from reviewing the list and telling you U+2571
was missing.
Once again, security through obscurity failed. I don't know if it was
really intended to be security trough obscurity (it was public in
bugzilla/the source code), but the end result looked very similar.
But this means that there's a work around for this attack that's usable
right now. I'll publish it separately.
[...]
And then you begin to think that maybe just having "." would work very
often, that most user have the most cursory look at the url bar, so
that making security depend on the url bar is just bad.
I happen to think so, yes.
Good. But can a small committee find good solutions, or build consensus
about them ?
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
