I've verified that the flaw exists on Windows XP SP2 fully patched IE 6 with Verisign's plugin from http://www.idnnow.com/index.jsp. Screenshot here: http://www.rebee.clara.net/images/ie-idn.jpg Cheers, Phil ---- Phil Randal Network Engineer Herefordshire Council Hereford, UK > -----Original Message----- > From: Jerome ATHIAS [mailto:jerome.athias@xxxxxxx] > Sent: 08 February 2005 14:47 > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Re: International Domain Name [IDN] support in > modern browsers allows attackers to spoof domain name URLs + > SSL certs. > > In-Reply-To: <20050208043921.17342.qmail@xxxxxxxxxxxxxxxxxxxxx> > > Verified under Windows XP SP2 with Firefox 1.0 (MOOX M3) > > SpoofStick (http://www.corestreet.com/spoofstick/) is also > tricked (what about netcraft...?). > > Regards, > Jerome >
