MozillaZine

Phishing and punycode

User Help for Mozilla Firefox
Bennyd
 
Posts: 153
Joined: April 23rd, 2005, 6:53 am

Post Posted April 17th, 2017, 5:16 pm

Per this article https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ on phishing, should I reset network.IDN_show_punycode to true?

therube

User avatar
 
Posts: 17009
Joined: March 10th, 2004, 9:59 pm
Location: Maryland USA

Post Posted April 17th, 2017, 6:05 pm

IMO yes.

Likewise, I suppose, by setting it to true, I guess the potential exists for some URLs to break?


I see (which wasn't the case a number of days ago) they've reopened, Bug 1332714 IDN Phishing using whole-script confusables on Windows and Linux.
(Actually that is not the bug I was looking at a number days back. This one is new & was originally not accessible to "us".)


More reading (courtesy of fatboy), https://habrahabr.ru/post/279113/ (http://translate.google.com/translate?p ... F279113%2F).
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript

dickvl

User avatar
 
Posts: 51924
Joined: July 18th, 2005, 3:25 am

Post Posted April 17th, 2017, 8:37 pm

Note that in the test case Cyrillic characters that look similar to Latin characters are used.
ะตั€ั–ั = еріс
This won't break websites as this is only used for displaying purposes in the location bar.

https://en.wikibooks.org/wiki/Unicode/C ... /0000-0FFF

NanM
 
Posts: 174
Joined: September 16th, 2008, 1:04 am
Location: SW WAustralia

Post Posted April 18th, 2017, 4:42 am

therube wrote:

I see (which wasn't the case a number of days ago) they've reopened, Bug 1332714 IDN Phishing using whole-script confusables on Windows and Linux.
(Actually that is not the bug I was looking at a number days back. This one is new & was originally not accessible to "us".)


The NoScript mavens have had a few discussions around homographs over the years.
Fatboy's rundown is good.
Mozilla's official approach is the most reasonable; there is a world outside the USA.

I'd prefer to just leave the default punycode config off, and continue to double-check on mouseover
any critical link, as always, whether in the url bar or titled in a text body.
Don't all the main modern browsers have real IDN display-on-mouseover?

I suppose it's a good idea to turn punycode on if you're a blind link-clicker - but then if that's the
case, no amount of the basic advice to copy/paste email links rather than click will help much
either.

Would this publicity be because some big boy domain's been spoofed and they don't feel like
fessing up yet? Shirley not...

dickvl

User avatar
 
Posts: 51924
Joined: July 18th, 2005, 3:25 am

Post Posted April 18th, 2017, 2:45 pm

Note that it is quite easy to spoof the link you see at the bottom by using the real link in the href attribute and use an onclick or event handler to go to the fake URL.
Using the href is easy, but there are other ways to intercept and modify the actual outcome

Return to Firefox Support


Who is online

Users browsing this forum: Google [Bot] and 9 guests