Bugtraq mailing list archives

RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs.

From: "Randal, Phil" <prandal () herefordshire gov uk>
Date: Wed, 9 Feb 2005 13:04:53 -0000

I've verified that the flaw exists on Windows XP SP2 fully patched IE 6
with Verisign's plugin from http://www.idnnow.com/index.jsp.

Screenshot here:  http://www.rebee.clara.net/images/ie-idn.jpg

Cheers,

Phil
----
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK

-----Original Message-----
From: Jerome ATHIAS [mailto:jerome.athias () free fr] 
Sent: 08 February 2005 14:47
To: bugtraq () securityfocus com
Subject: Re: International Domain Name [IDN] support in 
modern browsers allows attackers to spoof domain name URLs + 
SSL certs.

In-Reply-To: <20050208043921.17342.qmail () www securityfocus com>

Verified under Windows XP SP2 with Firefox 1.0 (MOOX M3)

SpoofStick (http://www.corestreet.com/spoofstick/) is also 
tricked (what about netcraft...?).

Regards,
Jerome

Current thread:

RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs. Randal, Phil (Feb 09)
- Re: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs. Marcin Sochacki (Feb 10)
- <Possible follow-ups>
- RE: International Domain Name [IDN] support in modern browsers al lows attackers to spoof domain name URLs + SSL certs. Michael Wojcik (Feb 14)