Bugtraq mailing list archives
Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
From: Will Kamishlian <will () will-k com>
Date: Wed, 9 Feb 2005 10:31:30 -0500
I tested the following browsers against the proof of concept page (www.shmoo.com/idn): - dillo (0.8.3) - lynx (2.8.5) - konqueror (3.3) Testing was done on Linux 2.6.9 (generic) Dillo and lynx handle the links well (dillo returns a DNS error and lynx reports an invalid URL). Konqueror opens the non-SSL link and displays the URL as "http://www.paypal.com/";. For the SSL page, Konqueror provides a warning that the IP address does not match the issuer domain. If the user accepts the certificate, the page is presented showing the URL as "https//www.paypal.com". -Will Kamishlian
Current thread:
- International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Brandon Kovacs (Feb 07)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Simon Østengaard (Feb 09)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Will Kamishlian (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 11)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Neil W Rickert (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Scott Gifford (Feb 12)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 15)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. bkfsec (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Gwendolynn ferch Elydyr (Feb 16)
- Re: International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. Peter J. Holzer (Feb 10)