neglected security issue in konqueror?
Rigo Wenning
rigo at w3.org
Wed Feb 9 09:48:16 GMT 2005
It's a known issue, and the Unicode consortium has already looked at it,
see:
http://www.unicode.org/reports/tr36/tr36-1.html#international_domain_names,
Of course, quite a bit of work remains.
Disabling IDNs isn't a solution, the same way that disabling
DNS in a browser isn't a solution to solve the problem of
phishing with ASCII-based domain names.
We are generally thinking about the issues related to phishing here.
BTW, I tried it out and Konqueror complained about the wrong certificate
as the SSL-implementation does _not_ know about IDN's it seems and
confused the things too and got the wrong certificate. Anyway, the
SSL-phishing on http://www.shmoo.com/idn/ does not work with my
konqueror.
Best,
--
Rigo Wenning W3C/ERCIM
Staff Counsel Privacy Activity Lead
mail:rigo at w3.org 2004, Routes des Lucioles
http://www.w3.org/ F-06902 Sophia Antipolis
Am Tuesday 08 February 2005 18:20 verlautbarte daniel :
> http://www.shmoo.com/idn/
>
> a friend sent me this link this morning and it seems to me to be a
> real security problem but according to the paper, this issue was
> raised back in 2001 and both mozilla and all khtml projects seem to
> still be affected by this potential problem.
>
> i posted to kde at mail.kde.org and it was reccomended that i re-post it
> here. It seems to me that given that removing a standard from a
> standard-compliant browser isn't much of an option, might i suggest a
> warning popup of some kind? or is this kind of issue best directed
> to the people responsible for resolution of names like that mentioned
> at the above link.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20050209/e15910c6/attachment.sig>
More information about the kfm-devel
mailing list