Pablos sez, "Shmoocon ended today. And just to prove The Shmoo Group wasn't sitting on their asses for the entire time while planning the con - A new exploit was demo'd by EricJ that left all jaws our on the floor. Want to own ANY domain? Want a trusted SSL cert for it? Check it out here. We 0wnz0rd PayPal, but left the rest for you. We have no idea how to fix this and neither do the browser developers. Official advisory here. Phishing attacks of doom coming soon."Source: BoingBoing
Oh lord, this is just another fold in the phishing debacle. I found this interesting from the advisory:
VI. Vendor ResponsesVerisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
You can read the full advisory for how to turn IDN off in Mozilla based browsers, as well as how exactly they have spoofed PayPal.com. And by all means, try out the proof of concept.
Thanks to Rob Griffiths for the link.
