XYMer's Home away from Home
http://x704.net/bbs/

Some browsers get tricked with unicode.
http://x704.net/bbs/viewtopic.php?f=17&t=8077
Page 1 of 1

Author:  roam [ Thu Apr 20, 2017 10:29 pm ]
Post subject:  Some browsers get tricked with unicode.

I just read this possible deception affecting Firefox and Chrome.
https://arstechnica.com/security/2017/0 ... -you-want/
Pasted that address into my Firebox address bar and it showed the false text saying Apple. I didn't click through.

Attachment:
unicode snaffu.png
unicode snaffu.png [ 63.7 KiB | Viewed 43 times ]

Google just patched it and Safari is not vulnerable to it.
Only this morning I did a Firefox update. I hope it is on their to-do list for the next update.

FF ESR 49.5.0

Author:  WZZZ [ Fri Apr 21, 2017 4:29 am ]
Post subject:  Re: Some browsers get tricked with unicode.

Don't really understand much about all the serious vulnerabilities now corrected in the latest 52.1, just released 4/19--there are a lot of them--but doesn't look like this particular unicode exploit is covered. Thanks for the heads up.

Quote:
Firefox users can protect themselves by entering "about:config" in the address bar and agreeing to the displayed warning. From there, enter "punycode" in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word "false" to change it to "true." From then on, Firefox will display the "dumb ascii" characters and not the deceptive, encoded ones.

Author:  BDAqua [ Fri Apr 21, 2017 11:04 am ]
Post subject:  Re: Some browsers get tricked with unicode.

Thanks, Safari 8.0.8 not affected, punycode true cured FF 51.01

Author:  roam [ Fri Apr 21, 2017 3:00 pm ]
Post subject:  Re: Some browsers get tricked with unicode.

Thanks WZZZ for pointing out the fix located at the end of the article. I was too sleepy to read to the end. :snail: Just did it and now that behaviour is gone.

Author:  rccharles [ Fri Apr 21, 2017 3:41 pm ]
Post subject:  Re: Some browsers get tricked with unicode.

Seems the Firefox people do not think it is a problem that apple.com can go to two different web sites depending which letter "a" is used. It seems each user must change about:config to be safe.

Never heard of a more ridiculous situation.

Robert

Page 1 of 1 All times are UTC - 8 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/