Date: Tue, 15 Feb 2005 18:02:43 -0500 From: madodel at ptdprolog.net Subject: [VOICENWS] SW: Mozilla Foundation Response to Vulnerability From: "Sander Nyman" Mozilla Foundation Response to IDN Homograph Spoofing Attack Last week, we reported that Mozilla is vulnerable to a homograph spoofing attack using international domain names (IDNs). Today, Gervase Markham, acting on behalf of staff at mozilla.org and drivers at mozilla.org, announced the Mozilla Foundation's short-term response. In the forthcoming Mozilla Firefox 1.0.1 and Mozilla 1.8 Beta releases, IDN support will be disabled (bug 282270). For those users that need it, an XPI will be released to turn IDN support back on (bug 282269). This is obviously an unsatisfactory solution in the long term and it is hoped that a better fix can be developed in time for Firefox 1.1. For now, the Mozilla Foundation (and other browser vendors such as Opera Software) maintain that the problem is mostly the fault of domain name registries and registrars that let people register homographic variants of existing domain names (the ICANN guidelines specifically warn against this). More discussion of the problem and possible solutions can be found in bug 279099 (please do not add unnecessary comments to any of the bugs linked to this article). Update: Gerv has posted a followup clarifying the change and the likely long-term solutions. He also confirms that there will be a Mozilla 1.7.6 release with IDN disabled. Netcraft also has a nice report outlining the problem and the temporary solution (note that despite what Netcraft says, this article is not an official Mozilla Foundation advisory). -- ----------------------------------------------------------- "Sander Nyman" ----------------------------------------------------------- "Aim low boys! They're a-ridin' Shetlands!" -- Warpstock 2005 - Where/When? Stay tuned to http://www.warpstock.org Warpstock Europe 2005 - Where/When? Stay tuned to http://www.warpstock.net [Moderator's note: All posts are sent without guarantee to the accuracy of the content. We try to verify details and URLs but this is an entirely volunteer run list, so 100% fact checking and the quality/useability of products announced here is impossible. If you respond to this post please remove the DESPAM from the poster's email addresses. Please do not send requests for information about a specific post to the moderator unless it is an update or I sent it.] -- To unsubscribe yourself from this list, send the following message to majormajor at os2voice.org unsubscribe news end Or, visit http://www.os2voice.org/MailingLists.html If you have an announcement you would like posted to the VOICE News list, please send it to submit at os2voice.org. Please include a valid reply address and a real contact name. If you wish to comment on this post, please reply to feedback at os2voice.org