Topic awaiting preservation: Scary domain exploit (Page 1 of 1)

Check out this article Shmoo Group exploit: 0wn any domain, no defense exists.

Due to the way that browsers (except IE) handle International Domain Names, people can spoof domains and SSL certificates.

The article also goes over how to disable this exploit in Firefox.

Actually, the best fix can be found here.

1. Install the Adblock Firefox extension.
https://update.mozilla.org/extensions/moreinfo.php?application=firefox&version=1.0&os=Windows&id=10

2. Look at the Adblock 'Preferences' and go to 'Adblock Options'

3. Tick 'Site Blocking'

4. Add the following filter :-
/[^\x20-\xFF]/

This will block any URL that uses characters outside the normal ASCII range.

Jestah:

your filter there... does it include the forward slash ...front and back? I know nothing about this stuff and just got a 'warning' that I was about to install a 'regular expression' and that if I didn't know what I was doing.... get da hell outta here boy.
thx =)

Works like a charm, Jester! Thanks for the info.

NoJive,
His filter excludes all characters in the range 'space' to xFF. The caret (^) at the start of the expression says anything not in the range x20 to xFF. Yes slant sign and back slant and all the numbers and alphabetic characters and other normal puctuation fall in the x20-xFF, but since he said every thing but that range, it should work fine.

Jestah,
Why did you make the end of the range xFF. I think I would make the expression [^\x20-\x76]. That would cover all the printable ASCII characters. Is there a reason for including the others?





-- not necessarily stoned... just beautiful.


(Edited by hyperbole on 02-10-2005 21:22)

hyperbole, check the link that Jester gave. He didn't make the fix, he just posted it here.

Wow, that was really terrible. I am not going to trust the address bar anymore. I will look at the code!

Anyway, adblock seems to avoid the problem. That's good. Thanks all for the links.

WebShaman,
OK, I had looked at that site when reading this thread, but I spent long enough looking at other issues on this problem that I forgot that Jestah had probably just copied the procedure to his post.

I made a mistake in my post. The range should be \x20-\x7E not \x20-\x76.

It still seems to me that restricting the acceptable characters to the printable ASCII characters is the safest thing to do. Does anyone have any input on this?

This filter still won't stop the method used by BoingBoing on this page. The filter allows you to go to the fake paypal page with no complaints. The only way I have seen to catch the method used by BoingBoing is to visually check the source of the page before clicking the link.



.

-- not necessarily stoned... just beautiful.

Uhmmm, I applied the filter and it DOES stop Firefox from having the bug.

Oh no, I didn't create the filter. I hope I didn't give you that impression. I found the fix on the mozillazine website and it worked like a charm for me. I don't even have Firefox installed on this computer (Safari user) but I put it on a few friends computer and there haven't been any problems.

(Edited by Jestah on 02-12-2005 04:29)

Hyperbole, the fix stops those methods on BoingBoing as well (at least, it does in my FF). I click on the spoof links, and nothing happens.

WebShaman | Asylum D & D | D & D Min Page

At first it didn't work for me because I had forgotten to check site block under preferences. (Did it twice when setting this up on 2 computers),

FireFox 1.0.1 fixes the IDN problem which, btw, comes from VeriSign's i-Nav Plug-In and not from the browsers vendors who implemented the IDN specs. You can download FireFox 1.0.1 here.