This seems like an opportune time to again refer everyone to my paper on
the petname toolbar.
Using the petname toolbar, users can identify web sites using their
local charset and language, and as a nice bonus, become invulnerable to
phishing attacks.
The paper is at:
http://www.waterken.com/de
Duane wrote:
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
Indeed. Unless we do something about this quick, IDN is screwed, because
more and more people will switch it off, and no-one will bothe
Ian G wrote:
The first thing that strikes is that the IDN/Shmoo thing
is not a bug but is a feature. It's doing what it was
intended to do. Indeed, one of the browser manufacturers
said that in the Shmoo advisory (but just saying that is
not a sufficient response!).
Actually it just occurred to m
Ian G wrote:
Then, when the spoof BunkOfAmerika turns up, the HTML
might look the same, but the browser should treat this
is an untrusted site - no logos because the cert seen
(if any) doesn't have any logos selected.
You're making assumptions here that I don't think will carry over to the
real wo
The first thing that strikes is that the IDN/Shmoo thing
is not a bug but is a feature. It's doing what it was
intended to do. Indeed, one of the browser manufacturers
said that in the Shmoo advisory (but just saying that is
not a sufficient response!).
We've always been able to copy domain names
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ian G wrote:
| Is this a valid cert? Who is USERTRUST? I never heard
| of these guys, and Firefox has definately offended me
| by claiming
|
| "The website www.paypal.com supports
|authentication for the page you are viewing. The
|identity
Ian G wrote:
Questions: What is the security alert process?
Had Shmoo advised MF of this bug and their
intention to publish? Presumably there is some
previously-secret bug number in bugzilla that
can now be made public?
Judging by emails of only a few days ago, at least 2 people referenced
the p
Over on the blog BoingBoing there is a workaround
for Firefox:
http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html
I tested it and it works for my setup (FreeBSD; Firefox 1.0)
(but apparently it doesn't work on Linux?)
Questions: What is the security alert process?
Had Shmoo advised MF
Ian G wrote:
On my Konqueror (3.3.2/FreeBSD), there is no bolding,
however the 'a' is slightly smaller and looks like a
different font. That's only on close eyeball examination
though, you'd only pick it up if looking hard. Also, the
'a' didn't survive a cut&paste, and I ended up with
pypal.com v
Henrik Gemal wrote:
Duane wrote:
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
damn that's an ugly one
I'm getting reports from the CAcert mailing list how you can't disable
IDN in firefox 1.0 e
Duane wrote:
I've been told konq visually makes the characters stand out (bolds
them I was told)...
On my Konqueror (3.3.2/FreeBSD), there is no bolding,
however the 'a' is slightly smaller and looks like a
different font. That's only on close eyeball examination
though, you'd only pick it up if
Henrik Gemal wrote:
damn that's an ugly one
Conversing with my friend early (who seemed quite knowledgeable on
punycode domains) said he had the same argument with opensrs 2 years ago
about this same issue, and that even on a smaller scale who will know if
you register a domain similar to a comp
Henrik Gemal wrote:
Duane wrote:
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
From the advisory:
http://www.shmoo.com/idn/homograph.txt
V.Workaround
You can disable IDN support in mozilla p
Duane wrote:
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
From the advisory:
http://www.shmoo.com/idn/homograph.txt
V. Workaround
You can disable IDN support in mozilla products by setting
'net
Duane wrote:
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
damn that's an ugly one
--
Henrik Gemal
Mozilla Evangelist
Mozilla Blog with news, devinfo, links, etc:
http://gemal.dk
I assume you guys know about international languages bug in URLs, but
didn't see anything else on it...
http://www.shmoo.com/idn/
Even effects SSL!
--
Best regards,
Duane
http://www.cacert.org - Free Security Certificates
http://www.nodedb.com - Think globally, network locally
http://www.sydneyw
16 matches
Mail list logo
