edmullen dot net

IDN VULNERABILITY

Update! - March 9, 2005

An interim release of Firefox (1.0.1) fixes this vulnerability. You can download it at: Version 1.0.1 Download

The Mozilla Suite will be updated soon to 1.7.6 which will include the IDN patch as well as some other bug fixes. The link for Mozilla Suite release downloads is: Mozilla Release Downloads

NOTE - Once you have updated to the program version containing the IDN Vulnerability fix you should reverse the proxy fix described below.

Read on for the background on the IDN issue ...


Background

First of all, don't panic! This is a potential security vulnerability. Read the news article and the Mozillazine discussion links below before you get too worried. From what I've read this is not, so far, being exploited on any large scale, if at all, so it's probably safe to wait for an interim release of Mozilla and FF that fixes the problem.


My Preferred Fix

I gleaned this from [netscape.public.mozilla.browser] newsgroup on February 11, 2005. I've tested it in Mozilla 1.7.5, Firefox 1.0, and Opera 7.54u2 ... and it works. Best of all it does not require installation of any other software or extensions. Compared to all the other possibilities I've come across, it's the easiest to implement, it doesn't require installing any extensions or other software, and it's easily removed once the problem is fixed in new releases of the browsers.

The original material is credited to and can found at Scovetta Labs. Look for IDN Feature Workaround via proxy.pac [text] [tutorial]. The "text" link can be read in your browser just by clicking. The "tutorial" is a .pdf file which requires Adobe Acrobat Reader. The tutorial is quite good so I recommend downloading and using that.

The fix is really quite simple. You simply place a proxy file on your system and tell Mozilla or Firefox to use it. It will block any IDN spoofing. You can download this plain-text file here by right-clicking this IDNproxy.pac link and choosing "Save Link Target As" (Mozilla) or "Save Link As" (Firefox). Find a suitable location to save the file. I recommend some place that won't change such as C:\Windows\ or C:\Windows\System\.

The Scovetta Labs tutorial describes this in detail for Firefox and includes screen shots. But it's really quite simple.


Existing Proxy

On February 14, 2005 a question was raised on the newsgroup about using this approach if you have an existing proxy server. Michael Scovetta of Scovetta Labs replied and I've reproduced his response on this page if you need to do this.


Other Fixes

As of Mozilla 1.7.5 and Firefox 1.0, making a change to the IDN preference ("network.enableIDN") doesn't really work. See this Mozillazine thread for more information.

The Mozillazine discussion mentions a "permanent" fix involving editing a Mozilla system file called compreg.dat. However, this fix is only somewhat more permanent than setting the IDN preference. After editing the file the fix will persist between browser sessions. But, if you install any extensions or themes then the file will be regenerated, wiping out your edit. If you feel really concerned you can use the edit trick mentioned in the Mozillazine thread. However, if you are at all uncomfortable about editing mozilla/FF system files then DON'T!

Here is another possibility of yet a different fix. This involves installing an extension that, apparently, is only available for Firefox, but not for the Mozilla Suite.


This page last changed: September 8, 2014 - 01:01 PM USA Eastern Time

Copyright Ed Mullen | Contact Ed

click for home page