RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
From: "Randal, Phil" <prandal@xxxxxxxxxxxxxxxxxxxx>
Date: Wed, 9 Feb 2005 13:04:53 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

I've verified that the flaw exists on Windows XP SP2 fully patched IE 6
with Verisign's plugin from http://www.idnnow.com/index.jsp.

Screenshot here:  http://www.rebee.clara.net/images/ie-idn.jpg

Cheers,

Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -----Original Message-----
> From: Jerome ATHIAS [mailto:jerome.athias@xxxxxxx] 
> Sent: 08 February 2005 14:47
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: International Domain Name [IDN] support in 
> modern browsers allows attackers to spoof domain name URLs + 
> SSL certs.
> 
> In-Reply-To: <20050208043921.17342.qmail@xxxxxxxxxxxxxxxxxxxxx>
> 
> Verified under Windows XP SP2 with Firefox 1.0 (MOOX M3)
> 
> SpoofStick (http://www.corestreet.com/spoofstick/) is also 
> tricked (what about netcraft...?).
> 
> Regards,
> Jerome
>

Follow-Ups:
- Re: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
  - From: Marcin Sochacki

Prev by Date: [ GLSA 200502-10 ] pdftohtml: Vulnerabilities in included Xpdf
Next by Date: CFP for SyScAN'05
Previous by thread: [ GLSA 200502-10 ] pdftohtml: Vulnerabilities in included Xpdf
Next by thread: Re: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.
Index(es):
- Date
- Thread