I installed the SARE rule updates channel into a nightly sa-update routine yesterday, and noticed today that the rules didn’t appear to be getting used. I had misread the docs initially it turns out - you must use the updates.spamassassin.org channel if you plan to use any other channels since SA expects to find all rules in one location.

When I tried adding the default channel tonight I was getting the following error tonight while setting up sa-update:

error: GPG validation failed!
The update downloaded successfully, but it was not signed with a trusted GPG
key. Instead, it was signed with the following keys:

24F434CE

Perhaps you need to import the channel's GPG key? For example:

wget http://spamassassin.apache.org/updates/GPG.KEY
gpg --import GPG.KEY

After poking around for a bit I found the last line of the message is misleading - you actually want to run sa-update --import GPG.KEY after downloading it.

Yesterday, I posted more info on the Firefox IDN issue along with a couple of additional work arounds to address the issue of the state of the enableIDN flag not being properly changed, even though it shows as being false. I had originally included a link to an extension that has been written to disable IDN permanently, but on the two machines I tested it on, Firefox wouldn’t load properly once the machine was rebooted. For those who just want things to work, I’d recommend against using the extension.

Editing the compreg.dat file manually works, as does installing the nightly build of Firefox, which is the option I chose since I already had to re-install the app to fix the load problem.

For those wanting to experiment, the extenstion is available here: http://friedfish.homeip.net/extensions/no-idn.xpi.

A security risk in International Domain Name [IDN] support was announced at Shmoocon this past weekend. The attack works on most browsers other than Microsoft IE (which doesn’t support IDN unless a plugin has been installed).

The Shmoo Group has a proof of concept page up demonstrating how a browser can appear to load paypal.com. The exploit works for both normal and SSL enabled sites.

The fix for Firefox is straight forward:

1. Navigate to about:config in Firefox (enter it in the address bar).
2. Enter network.enableIDN in the filter bar.
3. Double click the entry for network.enableIDN if it’s value is currently true. It should be bold when false/disabled.

Once IDN is disabled, the proof of concept will fail with an error that the site can’t be loaded.

[update 2005-02-15 - This fix is not 100% reliable, see my later post.]