Re: Work-around for Moxie Marlinspike's Blackhat attack
On 28/02/09 00:32, Jonas Sicking wrote: It'd be good to have a separate pref, network.IDN.blacklist_chars_extra, where users can add additional characters without having to worry about not receiving updates to the list we maintain. If users have to add chars to this list manually, that's Really Bad - because most won't. What's easier - getting loads of users to modify this pref, or shipping an automatically-installed security update to all of them? Gerv ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Return of i18n attacks with the help of wildcard certificates
On 27/02/09 14:48, Boris Zbarsky wrote: It's not clear to me that the person who added the list even knew the page existed. Neil added the list, and he wrote the second half of the page. So there was mutual knowledge. The list isn't documented on the page because, strictly speaking, it's not relevant. It seems like the right thing to do is to make the this is the hostname of the site ui somehow more prominent. Or possibly this is the tld+2 of the site or something. Some UI mockups would probably help more than anything else. We just turned hostname display UI for SSL on, according to The Burning Edge... Gerv ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Return of i18n attacks with the help of wildcard certificates
Subject was [Fwd: Facebook message - Received Messages Quickly] I've received it a few minutes ago. The URL doesn't us SSL, but it shows exactly what I posted in this thread not long ago...see forwarded message below: Regards Signer: Eddy Nigg, StartCom Ltd. http://www.startcom.org/ Jabber: h...@startcom.org xmpp:h...@startcom.org Phone: +1.213.341.0390 Original Message Subject:Facebook message - Received Messages Quickly Date: Tue, 3 Mar 2009 00:23:25 + From: Facebook Message Center messa...@facebook.com To: certmas...@startcom.org Personal Message To You From your friends at facebook video server: Subject: Review - My family invite you out for lunch, don't hesitate! Read Description for a link to part 1 Original Video added by group member. You will see a link to Open Your Personal Message Manager. Selecting this link will take you to the log in page where you can browse new messages. Proceed to open full message text: http://login.facebook.permissions.videomessageid-q9k6d8abp.sessionnewid83.com/home.htm?/CEBMainServlet/LOGIN=v1yzhoqvrtc8gmf Sincerely, Maura Kent. Facebook 2009 Message Center. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security