neglected security issue in konqueror?

[Christian Mueller]

Am Montag, 7. Februar 2005 23:17 schrieb daniel:
> http://www.shmoo.com/idn/
> 
> a friend sent me this link this morning and it seems to me to be a real 
> security problem but according to the paper, this issue was raised back in 
> 2001 and both mozilla and all khtml projects seem to still be affected by the 
> exploit.
> 
> is there a reason for this?  should i bother posting to bugs?


This is not an exploit and no security hole in konqueror.  

It is a problem that comes with the internationalisation of host names. 
You can now have different host names that *look* identical to the user. 
In the example you've given the first letter that looks like "a" in 
paypal.com is not an ASCII-"a" but some foreign character (russian, I think).  
But the hostname is a perfectly legal international domain name.  
What is konqueror supposed to display?  

It *is* a security problem that makes sophisticated phishing attacks 
possible but what is a standards-compliant browser to do about it?  

Still, you may want to bring this to the attention of the 
konqueror developers by posting to kfm-devel.  Maybe there is 
some strategy to warn the user in these cases.
I'm not sure this can be detected reliably, though...  


Cheers,
Christian. 

-- 

Der Kampf gegen die Dummheit hat gerade erst begonnen.
    -- Die Zeit
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde/attachments/20050208/1e3d4d5b/attachment.sig>
-------------- next part --------------
___________________________________________________
This message is from the kde mailing list.
Account management:  https://mail.kde.org/mailman/listinfo/kde.
Archives: http://lists.kde.org/.
More info: http://www.kde.org/faq.html.