Domain phishing flaw hits non-Microsoft Browsers

by Jack Richins

CNet reports most non-Microsoft browsers affected by a phishing flaw. It appears the basic problem is Firefox and other mozilla based browsers will render unicode domain names. The concern is most users will not notice the difference between paypal.com and paypal with an accent over the "a" characters.

I think this points to why security is so difficult – the flaw was in the feature, not the code used to implement the feature. Microsoft isn’t affected because they did not implement the feature – but they’ve probably been reamed somewhere on the internet for not doing so and slowing the adopting of "standards". Security is tough and it has to be thought about at every level – from the low-level code to the standards adopted across the internet. It would be nice if Microsoft could claim they didn’t implement this feature because they were concerned about such attacks, but I suspect they were concerned about breaking backwards compatibility and were merely waiting for their next major browser release so they could test it more.

Advertisements