That “fix” I blogged about yesterday for the Shmoo Group's Firefox exploit gets unfixed when you close and re-open your browser.
Information on a more permanent but alas more complicated fix can be found at tech.life.blogged.
UPDATE: This item was originally posted at 7:22am this morning. Some time between then and now, Firefox posted an update which fixes the problem. Quick work! [For the windows users who wrote me with their worries, the file you want is: firefox-1.0.en-US.win32.installer.exe . Just download it, then run it.]
The Schmoo group report is somewhat deceptive. It mentions one well known CA three times in the paper but does not mention that the certificate in question was issued by a different CA which curiously is not mentioned in the report, not even in the vendor responses section.
The attack is not new, remember Micros0ft.com? Phishing gangs register sites of the form xxx-billing.com all the time. The internationalization is simply a new twist on an old theme.
The real failure here is that a CA issued a certificate to an organization calling itself ‘Snake Oil Pro’ and did no more than verify the domain name of the holder. Thats not really enough evidence to hand over a credit card number for.
A more permanent fix for the problem would be to dump the relevant CA root out of the browser or, better to have a separate section in the browser labeled ‘untrustworthy roots that are OK for turning on encryption but nothing more’. Come to that why not allow encryption to be turned on for a self signed cert.
Hi: Thanks for linking to and tracking back to my blog. I see you linked to the nightly builds. My underestanding is that these are untested. Do you know if they are safe to use?
Personally I don’t have a problem I just want to make sure I can tell anyone reading my blog about them.
Thanks,
Scott
Well, although I’ve usually had good experiences with the dailys, I also had one bad one once. So it’s not as safe and sure as waiting for an official verison number release. Which this is not.
This version seems to allow the setting to hold after you shut the browser down and restart (unlike the previous build, where you had to reset it manually every time it started). You do need to go into config and set the IDN enable off.
Hmmm. My setting in about:config (enableIDN false) holds after a restart, nonetheless the exploit still works (before installing the 2/9/05 build, if I ever do).
Looks like maybe there is more complexity here than is currently understood.
TomR: I had the same experience with a previous version I’ve been using (after a restart the false setting still shows but the exploit works). However, in that old build you can cycle it from false to true and back again and then the exploit won’t work. It has to be un-set and reset every time the browser is started.
The new version dated today shows false *and* the exploit doesn’t work when you restart the browser. But you still have to go in and set the enable to false.
—–
Pingback: Emergent Chaos
Pingback: Emergent Chaos
Pingback: Emergent Chaos