Opera Fixes IDN Spoofing in Opera 8.0 Beta 2

Opera Watch writes "Opera has introduced a fix for the IDN spoofing security vulnerability in its latest beta version. The new version, Opera 8.0 beta 2, was released today on its FTP directory. No official announcement from Opera yet. Opera has created a white list for safe top-level domain names which include .no, .jp, .de, .se, .kr, .tw, .cn, .at, .dk, .ch, and .li. Sites not in the white list will show the encoded domain (with the IDN characters) in the URL field. The list is updated automatically when Opera checks for a new version."

discussion @ opera.com

[Arctic+Dragon]

It's been 'unofficially' announced in the Opera Forums

Whitelists ignrore third-level domains.

[molo]

The problem with whitelisting TLDs is that this ignores problems with bogus third-level domains/hosts. The listed registrars prevent registering look-alike domains, but no one controls look alike third-level domains.

For example, ωωω.paypal.jp (using greek omega). This can be combined with a DNS cache attack.

-molo

Re:Whitelists ignrore third-level domains.

[molo]

No, you can do a DNS cache poisoning attack. It is pretty hard to DNS cache poison a address like www.paypal.com because it is already in the cache of most DNS servers (because of the site's popularity). But, there is nothing stopping you from cache poisoning a hostname that no one has tried to connect to yet.

Say for example I'm a phisher and am trying this attack. I send my phishing spam to all of the earthlink.net accounts I have, using the IDN url. At the same time, I start a DNS cache poisoning attack, using spoofed DNS packets that look like they come from paypal, sending to all the known earthlink DNS servers. The DNS servers accept the spoofed packets when they do a query, poisoning the cache. All the client sees is the whitelisted Unicode URL.

-molo