Opera Fixes IDN Spoofing in Opera 8.0 Beta 2

Opera Watch writes "Opera has introduced a fix for the IDN spoofing security vulnerability in its latest beta version. The new version, Opera 8.0 beta 2, was released today on its FTP directory. No official announcement from Opera yet. Opera has created a white list for safe top-level domain names which include .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch, and .li. Sites not in the white list will show the encoded domain (with the IDN characters) in the URL field. The list is updated automatically when Opera checks for a new version."

Re:Whitelists ignrore third-level domains.

[molo]

No, you can do a DNS cache poisoning attack. It is pretty hard to DNS cache poison a address like www.paypal.com because it is already in the cache of most DNS servers (because of the site's popularity). But, there is nothing stopping you from cache poisoning a hostname that no one has tried to connect to yet.

Say for example I'm a phisher and am trying this attack. I send my phishing spam to all of the earthlink.net accounts I have, using the IDN url. At the same time, I start a DNS cache poisoning attack, using spoofed DNS packets that look like they come from paypal, sending to all the known earthlink DNS servers. The DNS servers accept the spoofed packets when they do a query, poisoning the cache. All the client sees is the whitelisted Unicode URL.

-molo