9-13-2005

Our former ISER director, Bill McDiarmid, alerted me to a flaw in my favorite browser. After looking into it here is what I have discovered.

A security issue was discovered on Sept 6, 2005 in the latest and most secure version of Firefox. This flaw allows pages to be spoofed. In other words your URL might read https://BankaAmerica.com but you might actually be at http://TakeYourMoneyAndRun.com giving your credit card numbers and other identity information. This flaw affects Macintoshes as well as Windows versions. It also affects the popular Macintosh Safari Browser.

The spoof is a result of using Unicode, a broad character set used in IDN (International Domain Names) This enables URLs to include Multilingual Unicode can be used to stage homographic attacks. Homographic attacts use Uincode characters in combinations that can display an URL in the browser that is not the site that they are really at. This enables Internet phishing -- scams that trick people into sharing private information with scam artists. It is particularly alarming that this works on SSL-enabled URLs (https) used on banking and e-commerce.

Here are three methods for coping:

Method 1 - Manually patch Firefox or Mozilla:
1. If you are not using the lates version upgrade - See method 2 step 1.
2. Type about:config into the address field and hit Enter.
3. In the Filter toolbar, type network.enableIDN.
4. Right click on the the network.enableIDN item and select toggle to change value to false

If the above doesn't make sense check out my page on Firefox Speedup Tricks

To verify the fix in your Firefox or Mozilla application, be sure to restart the browser and then follow these steps.
1) Type about:config into the address field and hit Enter.
2) In the Filter toolbar, type network.enableIDN.
3) Ensure that the the value for this item is set to false.

Method 2 -
1) Upgrade to the latest Firefox version - 1.06 at http://www.mozilla.org/ - don't forget to right click the download and check for viruses.

2) Patch that brand new version using the instructions at https://addons.mozilla.org/messages/307259.html

a) if this doesn't work you can try clicking the pull-down tool/options then click the Web Features and click the check box that allows Websites to install software. Turn this feature off when you are done with installing the patch. I turn it off on all the Firefox installs that I perform.

3) Check for patches periodically at http://www.mozilla.org/security/ for patches or read my e-mails for the latest info.

(source of above quote:
http://news.netcraft.com/archives/2005/02/15/firefox_to_disable_idn_support_ as_phishing_defense.html)