It’s an IDN thing
Ben asks whether the Verisign IE plugin for IDN is vulnerable to the same phishing attack as the browsers that have implemented IDN natively.
I’d have to say, mostly.
The addressbar looks fine, a perfect spoof, and on Shmoo’s secure site everything looks fine until you examine the certificate, or for any site look at the page properties, since the plugin doesn’t affect that and you see the punycode “https://www.xn--pypal-4ve.com/.”
I tried to remember the last time I examined the certificate for a site I thought I knew, and couldn’t; probably sometime in the first year that I used the internet. Good enough to phish me.
(The title in the Windows titlebar on the Shmoo site isn’t really a flaw in the spoof: they just didn’t bother with an HTML <title> so IE shows the URI instead.)
Nice. I thought it was a little odd that Ben has TrackBack enabled on every entry, but I never seem to see any pings, but hey, maybe I just read them too soon after he posts. Should have realized that it’s just like bugmail, where you think you are talking to him without knowing that he’ll never hear a word you say. Live and learn.
Major Browser Security Flaw (including IE?)
phil ringnalda dot com: It’s an IDN thing That’s interesting…from what I had heard it was a non-IE bug. But the screenshots seem to prove that it affects IE as well. Local tests on my Windows machine could not confirm…