Until a better solution is deployed, here is the work around to make
Moxie Marlinspike's attack ineffective.
- select and copy in your clipboard the character inside the " below :
"╱"
This character looks similar to / but is not the same !
This message is sent in unicode to allow for proper transmission of
that character.
- type about:config in Firefox url bar
- type blacklist_chars in the Filter line
- Click to modify the network.IDN.blacklist_chars preference
- Click inside the preference content and paste the character from you
clipboard.
Do not overwrite any of the characters already present !
- validate the change
- try to access this url
http://www.google.xn--comaccountsservicelogin-5j9pia.f.ijjk.cn/
- After it times-out, you'll see the following message :
« Firefox can't find the server at
www.google.xn--comaccountsservicelogin-5j9pia.f.ijjk.cn. »
- Without that change you would have seen :
« Firefox can't find the server at
www.google.com╱accounts╱servicelogin.f.ijjk.cn »
PS : Marlinspike refers to a character visually similar to "?" in his
presentation. I haven't found what it is, I've only found "‽". You can
repeat the process above with "‽".
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
