An interesting observation regarding yesterday’s security bug. I did this using 1.0+.
Here’s what it looks like when the exploit is presented:
Now look at the title bar when you “view source”:
Is this a temporary way to validate the authenticity of the website?
I have no clue. I’m just reporting my observations.
3 replies on “IDN Security Hole”
OT: What’s this “bug document” icon on your toolbar, between home button and location bar?
Yes, the view source window does not decode the punycode in the title, there’s a bug entry in bugzilla about this already.
It’s bug 250103 :
https://bugzilla.mozilla.org/show_bug.cgi?id=250103
Following JavaScript Bookmarklet can be used to detect IDN Spoofing.
javascript:alert(%22The real URL is: %22 + location.protocol + %22//%22 + location.hostname + %22/%22 + %22\nThe address URL is: %22 + location.href + %22\n%22 + %22If the server names do not match, this may be a spoof.%22);
It works well for our beloved Safari.