Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security IT

Opera Fixes IDN Spoofing in Opera 8.0 Beta 2 17

Opera Watch writes "Opera has introduced a fix for the IDN spoofing security vulnerability in its latest beta version. The new version, Opera 8.0 beta 2, was released today on its FTP directory. No official announcement from Opera yet. Opera has created a white list for safe top-level domain names which include .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch, and .li. Sites not in the white list will show the encoded domain (with the IDN characters) in the URL field. The list is updated automatically when Opera checks for a new version."
This discussion has been archived. No new comments can be posted.

Opera Fixes IDN Spoofing in Opera 8.0 Beta 2

Comments Filter:
  • by Arctic Dragon ( 647151 ) on Friday February 25, 2005 @02:35PM (#11780487)
    It's been 'unofficially' announced in the Opera Forums [opera.com]
  • We need an internationally agreed solution to this. ICANN are understandably upset at the slight that has occured to a large part of the world. Mozilla's browser couldn't reliably turn IDN off, that was fixed, but now it's off by default. The more officially proposed solutions are mostly registrar based, I don't think that's OK. Opera now has a fix of it's own. IE hadn't even got round to implementing IDN. The problem has been known about for ages, but only recently taken seriously. It certainly is se
  • It seems like you could pretty easily compile a mapping of foreign characters to the ASCII characters they could impersonate. Then, when a foreign url is entered, it could first be looked up with the ASCII replacements to see if a site exists. If it does, that site would be returned instead. If not, the internationalized URL would then be loaded. Results could be cached by the browser so that this check would only be needed the first time the site was loaded.

    This way http://www.mïçrõft.c
    • Because some people in the world know more languages than English (yes, I know it is hard to believe!) and they want their domain that they legitimately purchased to work properly, even if some characters in it it happen to look simmilar to some other English letter.

      • No, I believe it...I speak 4 myself. But I still don't see any issue with checking ASCII domains first. Your internationalized domain would still work fine so long as you didn't register a domain that looks similar enough to confuse with an existing all-ASCII domain. If you did, that's tough.

        Trademarks exist for a reason...to prevent confusion for consumers. You are from Canada, so answer me this: would the Canadian government grant two trademarks that were otherwise identical except for one had a '
  • by molo ( 94384 ) on Friday February 25, 2005 @04:52PM (#11782187) Journal
    The problem with whitelisting TLDs is that this ignores problems with bogus third-level domains/hosts. The listed registrars prevent registering look-alike domains, but no one controls look alike third-level domains.

    For example, ωωω.paypal.jp (using greek omega). This can be combined with a DNS cache attack.

    -molo
    • by Anonymous Coward
      I don't understand your point. To do that, you need to be in control of paypal.jp already, in which case why bother with spoofing?

      If you're talking about making misleading third level domains under your own domain name, there's also no need to spoof anything. It's already possible to set up paypal.mydomain.com without having to resort to obscure character sets.
      • No, you can do a DNS cache poisoning attack. It is pretty hard to DNS cache poison a address like www.paypal.com because it is already in the cache of most DNS servers (because of the site's popularity). But, there is nothing stopping you from cache poisoning a hostname that no one has tried to connect to yet.

        Say for example I'm a phisher and am trying this attack. I send my phishing spam to all of the earthlink.net accounts I have, using the IDN url. At the same time, I start a DNS cache poisoning atta

Whoever dies with the most toys wins.

Working...