Neil Turner's Blog

Blogging about technology and randomness since 2002

Flawed browsing

So you may know by now that there’s a pretty nasty phishing flaw that’s affecting a wide range of web browsers – all recent versions of Netscape, Mozilla, Firefox, Camino, Opera, Safari, OmniWeb and Konqueror. In fact, just about every recent web browser with the exception of Internet Explorer. Ed Bott has a good explanation of the flaw so I’ll leave the details to him.
In any case, Mozilla are acting upon this and according to Bugzilla a fix was checked in last night for the Firefox 1.0.1 bug fix release and for what looks like a Mozilla 1.7.6 maintenance release as well. Hopefully those will be out soon.
What annoys me slightly is that this was a ‘full disclosure’ flaw – it doesn’t seem as if the browser makers were notified of this flaw privately beforehand and given a few weeks to fix it before details were made public. Because the flaw doesn’t affect IE I think it’s unlikely that any phisher would exploit this right now, but had the flaw been disclosed more responsibly then the likes of Mozilla and Opera may have fixed this already and released patches.
It appears that Mozilla were notified about this flaw 2 weeks ago. See Bug 279099.


  1. was notified on 2005-01-20, two weeks ago.

  2. Other corrections, then 🙂
    The fix you reference is not (as far as I can see) a mitigation for this issue.
    This is also not really a Firefox issue; Firefox is behaving exactly as designed. The real responsibility lies with the registrars. For several years there has been guidance regarding the issuing of IDNs, specifically to avoid this issue, but the registrars have not implemented it.

  3. Yeah, the checkin was just to make the workaround, completely disable IDN support, actually stick: 1.0 wasn’t properly observing prefs, so disabling it would only last until your next browser restart.
    But for the broader issue, Gerv’s right: we could be a little less phishable by using a different font (see the screenshot from Konq in the bug), but it’s basically up to the registrars to not accept phishing domains, which given their history means IDN was built with an unescapable fatal flaw.

  4. What I find rather interesting is what I did to see the flaw. I copied the “address” from the browser and pasted it into EditPad Pro. Sure enough the first ‘a’ wasn’t really an ‘a’. Then I pasted the same clipboard into Notepad. Gee, the address looks just fine there.
    So, is this a case of “being behind the times” being a good thing for a change? I am assuming that Firefox and the rest support this International thing where IE doesn’t? Fun…