千年狐狸
- UID43
- 注册日期2004-11-22
- 最后登录2015-05-03
- 发帖数2283
- 经验40枚
- 威望0点
- 贡献值42点
- 好评度0点
|
阅读:11438回复:11
Mozilla.org对于IDN欺骗的官方答复,新的修补计划
楼主#
更多
发布于:2005-02-10 02:21
http://secunia.com/advisories/14209/
secunia又报告了一个新的漏洞,相信新闻媒体又将转载。这里向大家介绍一下:(Mozilla.org的官方答复附本文最后,更新日期为0214, Happy Vday;update: mozilla.org发布了新的修补计划,内容附文末,20050218)
原文如下:
VeriSign i-Nav Plug-In IDN Spoofing Security Issue
Secunia Advisory: SA14209 Print Advisory
Release Date: 2005-02-09
Critical:
Moderately critical
Impact: Spoofing
Where: From remote
Solution Status: Unpatched
Software: VeriSign i-Nav Plug-In
Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
Description:
Eric Johanson has reported a security issue in i-Nav Plug-In, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.
The problem is caused due to an unintended result of the IDN (International Domain Name) implementation, which allows using international characters in domain names.
This can be exploited by registering domain names with certain international characters that resembles other commonly used characters, thereby causing the user to believe they are on a trusted site.
Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
http://secunia.com/multiple_browsers_idn_spoofing_test/
The issue has been confirmed in the last build of i-Nav Plug-In (downloaded 2005-02-09).
Solution:
Don't follow links from untrusted sources.
Manually type the URL in the address bar.
Provided and/or discovered by:
Originally described by:
Evgeniy Gabrilovich and Alex Gontmakher
Reported by:
Eric Johanson
Original Advisory:
http://www.shmoo.com/idn/homograph.txt
Other References:
The Homograph Attack:
http://www.cs.technion.ac.il/~gabr/pape ... graph.html
ICANN paper on IDN Permissible Code Point Problems:
http://www.icann.org/committees/idn/idn ... -paper.htm
Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others. 测试页面如下:(测试地址在 http://secunia.com/multiple_browsers_idn_spoofing_test/ ) Multiple Browsers IDN Spoofing Test
Introduction
Eric Johanson has reported a security issue in multiple browsers, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.
Please see the test below for an example of how this vulnerability can be exploited.
Test Case / Demonstration
Click the link below in order to test whether or not your system is vulnerable. The test will open a new window, where the address bar writes "http://www.paypal.com/", but the page is actually displaying content from Secunia.
Test Your System
Test Now - Left Click On This Link
Result
You are vulnerable, if a new window is opened displaying a Secunia page, but the address bar is displaying "http://www.paypal.com/".
Credits
Originally described by:
Evgeniy Gabrilovich and Alex Gontmakher
Reported by:
Eric Johanson
What should you do?
Please view the appropriate Secunia advisory for information about how you can fix or mitigate the impact of this vulnerability. The Secunia advisory will be updated when the vendor issue patches.
View the Secunia advisory regarding your browser:
- [SA14166] OmniWeb
- [SA14154] Opera
- [SA14163] Mozilla / Firefox / Camino
- [SA14162] Konqueror
- [SA14165] Netscape
- [SA14164] Safari
意思是地址栏将会显示假的地址。 Update:仔细看了一下,新浪等地方都有解释伪造的机制是混淆某些字母的显示。不论如何,输入密码的时候(一般是和money有关的站点),一定注意网页加密情况和真实来源。简单的办法是“总是自己输入地址来登陆金融站点,而不要使用连接”, 这对任何浏览器都是一个有效的办法。Update 2: 因为IE不支持国际代码的网络地址,所以只会返回空页面,Mozilla的开发者认为,这个问题需要国际域名解析委员会处理,他们应该禁止恶意欺骗的域名的注册。Update3, 重要,以下的方法可以暂时禁用国际字符域名。直到问题有新的解决方案。 编辑compreg.dat.
文件地址在:
For windows
c:\Documents and Settings\$USER\Application Data\Mozilla\Firefox\Profiles\default.random\compreg.dat
For UNIX
~/.mozilla/firefox/default.random/compreg.dat
删除那些指向IDN的行, 一个for Linux, 2个for Windows.
样本如下:
{4byteshex-2byteshex-2byteshex-2byteshex-6byteshex},@mozilla.org/network/idn-service;1,,nsIDNService,rel:libnecko.so 此方法引自 http://www.dslreports.com/forum/remark, ... 9~start=20Mozilla.org的官方答复如下: After much discussion, <!-- e --><a href="mailto:staff@mozilla.org">staff@mozilla.org</a><!-- e --> and <!-- e --><a href="mailto:drivers@mozilla.org">drivers@mozilla.org</a><!-- e --> have agreed a short-term strategy for dealing with the recently-publicised issues relating to IDN and domain spoofing.
First off, we want to make it clear: we support Opera's position that this is a registrar/registry problem. These issues were known when IDN was proposed, guidelines were developed for avoiding the problem by restricting registrations, and the DNS registration organisations need to step up and implement them. (Certificate Authorities should also, as a simple matter of acting responsibly, not issue certs for domains which are part of a homographic block registered to two or more entities.)
However, we also have a duty to protect our users. So, in the mean time, the enableIDN preference will be set to "false" in Firefox 1.0.1 and Mozilla 1.8 beta, including all official localisations. An XPI will be made available to turn it on again; this XPI will make the risks of doing so clear. This means that by default, links to IDN domains which use the Unicode rather than the punycode form for the href will fail, and the browser will display any IDN domain visited in its raw form.
In the future (Firefox 1.1 and beyond) we hope to be able to turn IDN back on again. We may be able to find a way to turn it on selectively for those TLDs which have a demonstrable record of good practice - but we can't promise to do that. It partly depends on how much resource maintaining a white or black list would take. (To help with that decision, please tell me of any instances where the registration of two homographic domains to different entities has happened in TLDs other than .com.)
So if people want to see full, unrestricted IDN back in Mozilla and Firefox, the best way is to put pressure on the world's registrars and registries to fulfil their obligations to their customers - both domain owners and Internet users - and commit to implementing the ICANN guidelines.
大意如下:
经过讨论,staff@mozilla.org 和 <!-- e --><a href="mailto:drivers@mozilla.org">drivers@mozilla.org</a><!-- e --> 已经同意一个暂时的应对,以修补最近发布的IDN欺骗。
首先,我们希望说清楚,我们完全支持Opera的声明,这个问题属于域名注册的问题。这些问题都是国际域名(IDN)发布时已知的。也早已经提交了策略,以仔细审查来阻止恶意网址的注册。DNS注册委员会应该站出来实行这些策略(证书发行方也应该如此)。
不过我们同时有责任保护我们的用户的安全, 因此, 我们将会发布firefox 1.01和Mozilla 1.8B(以及所有地方化版本),这些版本中,enableIDN的键值会默认为“false”。会有一个XPI来打开这个设置。这意味着默认情况下,国际代码的域名将无法访问。
将来的版本(Firefox 1.1 and beyond),我们希望能够回到正常状态, 我们也许会考虑一些其他方法,但无法保证,主要取决于白名单策略是否过于麻烦。(要帮助的话,请通知我们那些域名有问题)
因此,如果大家希望完全正常的IDN功能重新出现在Mozilla和Firefox中的话,请向域名注册商们施加压力,告诉他们行使他们对用户的责任,告诉他们遵循ICANN的条款。
20050218更新:
mozilla.org宣布他们找到了新的修补方法,在之前的官方声明里,mozilla.org宣布将会在FX 1.0.1和Mozilla 1.8b中默认关闭对IDN的支持(用户可以自行打开)。但是最新的声明中,Mozilla.org宣布他们不会关闭对IDN的支持,对于利用不同语言字母相似而诱骗用户到假地址的漏洞,新版的fx和mozilla的修补方法是使用Punycode (http://en.wikipedia.org/wiki/Punycode )来显示地址。举个例子说 ”bücher.ch“ 会显示为 “xn--bcher-kva.ch”,这样避免了相似字母的混淆。
注意,这同样是一个短期计划,真正长期的方法还是希望域名注册商自己加强管理。
|
