Opera Battles Spoofing in Latest Beta Release February 25, 2005
By Matt Hicks
Responding to the rise of a spoofing flaw in Web browsers, Opera Software ASA has released a second beta release of its next browser with extra security features.
The newest Opera beta, made available on Friday, prominently displays certificate information about Web sites and only supports Internationalized Domain Names (IDNs) from domains that meet Opera's antispoofing guidelines, the browser maker announced. ADVERTISEMENT
The latest update follows the release of the first beta in December. Opera had been on track to call the updated browser Opera 7.60 but later changed its plans. It is still determining a name for the new version, which includes such new features as voice-activated browsing and support for RSS and Atom feeds.
A flaw was discovered earlier this month in Web browsers that support IDNs. Attackers could exploit the non-English, localized versions of Web addresses for spoofing and phishing attacks.
The problem affects most non-Internet Explorer browsers, and earlier this week the Mozilla Foundation also issued an update to the Firefox browser to fix the IDN flaw and other security issues. Also with an eye on security, Microsoft Corp. earlier this month shifted course by pledging to update IE to Version 7.
Click here to read more about Mozilla's security efforts.
Opera is taking a two-pronged approach. First, the beta displays security information within the address bar, including showing the name of the organization that holds a site's digital certificate.
"One of the most important measures to counter phishing attacks is the use of security certificates," said Christen Krogh, Opera's vice president of engineering, in a statement. "The challenge for the browser vendors is to better explain the verification of certificates and to make the user more aware of this additional verification before entering into secure transactions."
By clicking on the bar, a user also can assess a certificate's validity further by viewing such information as its encryption classification and protocol, the certificate issuer and the certificate start and expiration dates, according to Opera.
In a second step, Opera has created a white list of top-level domains that meet its criteria for IDNs. Right now, the Opera browser beta supports 11 domains, specifically the country codes for Norway, Japan, Germany, Sweden, Korea, Taiwan, China, Austria, Denmark, Switzerland and Liechtenstein.
Opera plans to continually update the white list as domain registries meet its requirement of having implemented anti-homographic character policies or another way of limiting the available set of characters, an Opera spokesperson said.
Opera reaffirmed that is working to bring together an industry-wide group to prevent the use of IDNs for spoofing attacks.
"The IDN problem is not one that can be solved alone," Opera said in its announcement, "but rather together with other browser vendors, domain name registries, certificate authorities and other members of the Internet community."
Check out eWEEK.com's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.
Copyright (c) 2005 Ziff Davis Media Inc. All Rights Reserved.
http://www.eweek.com/print_article2/0,2533,a=146664,00.asp
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/_______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
