Package: firefox Severity: minor Hello Maintainer,
I have a customer which has an arabic Puny-Code domain on my server
which is now working but firefox show a security problem.
I had already ask on the apache mailinglist but:
----[ STDIN ]-----------------------------------------------------------
Am 2010-05-09 14:10:32, hacktest Du folgendes herunter:
> On 5/9/2010 7:38 AM, Michelle Konzack wrote:
> > since some days there are puncodes available for three arabic TLDs and I
> > like to now, what must I do that if I type for example the domain
> > "تامايدوجان.سى" <tamay-dogan.sa> that it stay like this and does not
> > change back to this crappy looking punicode domain.
>
> I believe this is entirely under the wisdom of your browser, since httpd does
> nothing to influence the display of the URL bar. It wouldn't be added,
> because
> the allowing the servers to obscuficate the URL bar would be a huge security
> issue with website impersonation.
And for what do you think are Puny-Code domains usefull?
I mean, someone using a Puny-Code Domains from the UE or SA know, the
domains generaly are only accesible for peoples reading/writing arabic.
So why does the webbrowser accept if I type the arabic domain name and
then switch to the unreadable Puny-Code stuff?
Switching to the unreadable own is a security risc, because Now one know
what the domain is but if the Webbrowser let it arabic, I can check it
all the time.
I think, a webbrowser should not change the shown domain to something no
one understand...
------------------------------------------------------------------------
So, I see this as a security problem because the translated Puny-Code is
unreadable and no one can check, what the URL bar say. This can lead to
a man in the middle attack.
Firefox should show the domain as it is, in this case in ARABIC.
Note: The same problem applies to other Puny-Code domains too.
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
--
##################### Debian GNU/Linux Consultant ######################
Development of Intranet and Embedded Systems with Debian GNU/Linux
itsyst...@tdnet France itsyst...@tdnet UG (haftungsbeschränkt)
Gesch. Michelle Konzack Gesch. Michelle Konzack
Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France 77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix
<http://www.itsystems.tamay-dogan.net/> <http://www.flexray4linux.org/>
<http://www.debian.tamay-dogan.net/> <http://www.can4linux.org/>
Jabber linux4miche...@jabber.ccc.de
ICQ #328449886
Linux-User #280138 with the Linux Counter, http://counter.li.org/
Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant
--
Linux-User #280138 with the Linux Counter, http://counter.li.org/
##################### Debian GNU/Linux Consultant #####################
Michelle Konzack Apt. 917 ICQ #328449886
+49/177/9351947 50, rue de Soultz MSN LinuxMichi
+33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com)
signature.pgp
Description: Digital signature
