If You Use Firefox You Need To Read This

Someone has come up with a Firefox exploit — one that doesn't affect IE users!

You can find links to the details, at Boing Boing: Shmoo Group exploit. Here, however, is the simple info on how to protect yourself (probably):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.

2) Scroll down to the line beginning network.enableIDN — this is International Domain Name support, and it is causing the problem here. We want to turn this off — for now. Ideally we want to support international domain names, but not with this problem.

3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.

I say “probably” because even though this fix works for me, there are reports that it doesn't work for everyone. The test of the exploit is here.

This entry was posted in Software. Bookmark the permalink.

12 Responses to If You Use Firefox You Need To Read This

  1. Pingback: Ed Bott - Windows (and Office) Expertise

  2. Pingback: Ed Bott - Windows (and Office) Expertise

  3. Pingback: Ed Bott - Windows (and Office) Expertise

  4. wcw says:

    Homograph attacks aren’t so much an attack as an exploitation of a useful feature. The proper response to homograph attacks is for the Paypals of the world to spend the extra few bucks to register reasonable homographs of their domain. This attack is along the lines of setting up misspelled phishing sites, to which problem Paypal’s response should be the very same: purchase “paypall.com” and make sure it forwards to their site.

    In my case, I am disappointed that the trick isn’t working for me. dig http://www.pаypal.com (with the lowercase Cyrillic а) resolves just fine to 198.41.1.35, but firefox claims it “does not resolve” and using 198.41.1.35 directly tries to send me to sitefinder. My reaction remains not, “whew, I’m safe” but “damn, something’s broken.”

  5. Pingback: Ed Bott - Windows (and Office) Expertise

  6. Pingback: Ed Bott - Windows (and Office) Expertise

  7. Pingback: Not Quite a Blog 2.0

  8. Alexander says:

    Apparently,the fix doesn’t stick when you close Firefox. Instead, you have to modify your user.js file. James Seng has some harsh words for Verisign regarding this exploit.

    —–

  9. Pingback: Displacement of Concepts

  10. Pingback: Displacement of Concepts

  11. Pingback: Displacement of Concepts

  12. Pingback: ThePete.Com

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.