Am Montag, 7. Februar 2005 23:17 schrieb daniel: > http://www.shmoo.com/idn/ > > a friend sent me this link this morning and it seems to me to be a real > security problem but according to the paper, this issue was raised back in > 2001 and both mozilla and all khtml projects seem to still be affected by the > exploit. > > is there a reason for this? should i bother posting to bugs? This is not an exploit and no security hole in konqueror. It is a problem that comes with the internationalisation of host names. You can now have different host names that *look* identical to the user. In the example you've given the first letter that looks like "a" in paypal.com is not an ASCII-"a" but some foreign character (russian, I think). But the hostname is a perfectly legal international domain name. What is konqueror supposed to display? It *is* a security problem that makes sophisticated phishing attacks possible but what is a standards-compliant browser to do about it? Still, you may want to bring this to the attention of the konqueror developers by posting to kfm-devel. Maybe there is some strategy to warn the user in these cases. I'm not sure this can be detected reliably, though... Cheers, Christian. -- Der Kampf gegen die Dummheit hat gerade erst begonnen. -- Die Zeit
Attachment:
pgplCIIUa4HKV.pgp
Description: PGP signature
___________________________________________________ . Account management: https://mail.kde.org/mailman/listinfo/kde. Archives: http://lists.kde.org/. More info: http://www.kde.org/faq.html.
