Support NeoGAF

[Priz]

I was just sent this:

Subject: browser security: homograph attack

sample:

http://www.shmoo.com/idn/

The urls look like www.paypal.com, but view the source and
there's an alternate character being used for the letter "a".

In the far future, we'll have unicode domain names.
Until then, disable it in FireFox/Mozilla:

about:config
networking.enableIDN=FALSE

From the IDN advisory on the page, it looks like the attendees of Shmoocon '05 were made aware of this.

Just passing it along.

 

[Crow]

cheers

 

[andthebeatgoeson]

What's it do?

 

[demi]

Turns you into a homo?

 

[iapetus]

It saps your ability to follow links and read simple articles.

OH MY GOD! YOU MIGHT BE INFECTED!

 

[Agent Dormer]

It saps your ability to follow links and read simple articles.

OH MY GOD! YOU MIGHT BE INFECTED!

Now I see why you're the scary euro man!

 

[goodcow]

This is pretty severe...

 

[andthebeatgoeson]

It saps your ability to follow links and read simple articles.

OH MY GOD! YOU MIGHT BE INFECTED!

Pfft, that article is not simple. I need MSN-style reporting to simplify things today.

So, basically, homographs + Firefox= bad. Now, I guess I'm screwed. I'm turning in my computer....right after I download this midget porn.

 

[Lord Error]

I disabled IDNs in about:config in latest Firefox, closed and restarted the browser, and that spoof still works...

 

[xsarien]

I disabled IDNs in about:config in latest Firefox, closed and restarted the browser, and that spoof still works...

Give it another go, the spoof no longer works on my system.

 

[Particle Physicist]

so... how do you fix this ??

 

[xsarien]

so... how do you fix this ??

about:config
networking.enableIDN=FALSE

 

[ManaByte]

about:config
networking.enableIDN=FALSE

And where is that?

 

[SpoonyBard]

Write about:config to address bar

 

[Particle Physicist]

about:config
networking.enableIDN=FALSE

no work

 

[gblues]

Spoof still works here too, FireFox 1.0.

Nathan

 

[TheOMan]

Thanks for the heads up...also, your Guu (of Hale Nochi Guu (sp?) I'm guessing) avatar is cool, it made me lol.

 

[Smiles and Cries]

In the far future, we'll have unicode domain names.
Until then, disable it in FireFox/Mozilla:

The FUTURE is now... I was just about to buy some Japanese Kanji domains just for fun

try

http://www.アニメーション.com

アニメーション

 

[aoi tsuki]

Spoofed URL still loads after the config edit in 1.0, although the real URL is visible in the status bar.

Edit: The SpoofStick extension does not work.

 

[Che]

I find it really funny watching a couple of MS drones in mags and conferences trying to proove how dangerous firefox is, while IE probably has a couple of billion security holes more than firefox.

 

[Smiles and Cries]

changing that setting did not help me

 

[CueTheMusic]

Are you guys changing network.enableIDN or networking.enableIDN?

I changed network.enableIDN to FALSE and when I click on the "paypal" link it tells me that it can't be found. Before doing this, the link worked.

 

[xsarien]

Spoofed URL still loads after the config edit in 1.0, although the real URL is visible in the status bar.

Edit: The SpoofStick extension does not work.

Maybe I'm just special.

The thing you have to change is network.enableIDN. "Networking" doesn't show up in my list.

 

[Lord Error]

The thing you have to change is network.enableIDN

That's what I've changed. Spoof still works. The one naz posted also works.

Maybe I have to restart the computer?

 

[Wario64]

My network.enableIDN was already false, but it does not work still

 

[Meier]

I changed it to false and it's still working :\

 

[aoi tsuki]

That's what I've changed. Spoof still works. The one naz posted also works.

Maybe I have to restart the computer?

Try it, but it should take effect immediately. Slashdot posters have done the same, as well as clearing the cache. It's unsettling to think that an option like this isn't working correctly.

 

[xsarien]

That's what I've changed. Spoof still works. The one naz posted also works.

Maybe I have to restart the computer?

Try restarting Firefox.

 

[aoi tsuki]

Try restarting Firefox.

i'm using Firefox 1.0 and it doesn't work.

 

[Anthropic]

There's a bug in Firefox where setting that value has no effect after you restart the browser.

https://bugzilla.mozilla.org/show_bug.cgi?id=281365

Expect a Firefox 1.0.1 soon that will fix this bug and the IDN problem in general.

 

[TheOMan]

I'm using FireFox 1.0 and the workaround *works* for me.

Are you sure you're clicking on the PayPal links on the example page and not the one in the article? (I made the same mistake at first).

 

[aoi tsuki]

I'm using FireFox 1.0 and the workaround *works* for me.

Are you sure you're clicking on the PayPal links on the example page and not the one in the article? (I made the same mistake at first).

Funny, i toggled the setting (without leaving the config page) and it works now. i don't know what was happening when i originally posted. i tried everything, short of restarting XP.

 

[SickBoy]

So this is mainly an issue if you click a link at some "unfriendly" web page?

A rule I use in web browsing is: Going anywhere secure, either type it in yourself or use a bookmark on your browser you know is safe.

Knowing a lot of the scams out there, I don't think there's any way I could convince myself to click a link for somewhere like paypal and then actually enter my login info.

 

[Meier]

Okay, I just toggled it a few times and it's working now. Cool.

 

[Priz]

Good thing there are easy fixes like this. Some of the phishing spammers are getting so good at spoofing the e-mails. My sister gave up her paypal & ebay info to one (she's running lots of hockey card auctions these days and was worried they were going to really shut down her account) and only after sending it, she called to ask me why they asked for both bits of info.

I showed her how to look at the address. With this, she'd still think it was legit and give away her info AGAIN.