Phishing and punycode
-
- Posts: 193
- Joined: April 23rd, 2005, 6:53 am
Phishing and punycode
Per this article https://www.wordfence.com/blog/2017/04/ ... -phishing/ on phishing, should I reset network.IDN_show_punycode to true?
- therube
- Posts: 21714
- Joined: March 10th, 2004, 9:59 pm
- Location: Maryland USA
Re: Phishing and punycode
IMO yes.
Likewise, I suppose, by setting it to true, I guess the potential exists for some URLs to break?
I see (which wasn't the case a number of days ago) they've reopened, Bug 1332714 IDN Phishing using whole-script confusables on Windows and Linux.
(Actually that is not the bug I was looking at a number days back. This one is new & was originally not accessible to "us".)
More reading (courtesy of fatboy), https://habrahabr.ru/post/279113/ (http://translate.google.com/translate?p ... F279113%2F).
Likewise, I suppose, by setting it to true, I guess the potential exists for some URLs to break?
I see (which wasn't the case a number of days ago) they've reopened, Bug 1332714 IDN Phishing using whole-script confusables on Windows and Linux.
(Actually that is not the bug I was looking at a number days back. This one is new & was originally not accessible to "us".)
More reading (courtesy of fatboy), https://habrahabr.ru/post/279113/ (http://translate.google.com/translate?p ... F279113%2F).
Fire 750, bring back 250.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball CopyURL+ FetchTextURL FlashGot NoScript
- dickvl
- Posts: 54161
- Joined: July 18th, 2005, 3:25 am
Re: Phishing and punycode
Note that in the test case Cyrillic characters that look similar to Latin characters are used.
еріс = еріс
This won't break websites as this is only used for displaying purposes in the location bar.
https://en.wikibooks.org/wiki/Unicode/C ... /0000-0FFF
еріс = еріс
This won't break websites as this is only used for displaying purposes in the location bar.
https://en.wikibooks.org/wiki/Unicode/C ... /0000-0FFF
-
- Posts: 182
- Joined: September 16th, 2008, 1:04 am
- Location: SW WAustralia
Re: Phishing and punycode
The NoScript mavens have had a few discussions around homographs over the years.therube wrote:
I see (which wasn't the case a number of days ago) they've reopened, Bug 1332714 IDN Phishing using whole-script confusables on Windows and Linux.
(Actually that is not the bug I was looking at a number days back. This one is new & was originally not accessible to "us".)
Fatboy's rundown is good.
Mozilla's official approach is the most reasonable; there is a world outside the USA.
I'd prefer to just leave the default punycode config off, and continue to double-check on mouseover
any critical link, as always, whether in the url bar or titled in a text body.
Don't all the main modern browsers have real IDN display-on-mouseover?
I suppose it's a good idea to turn punycode on if you're a blind link-clicker - but then if that's the
case, no amount of the basic advice to copy/paste email links rather than click will help much
either.
Would this publicity be because some big boy domain's been spoofed and they don't feel like
fessing up yet? Shirley not...
- dickvl
- Posts: 54161
- Joined: July 18th, 2005, 3:25 am
Re: Phishing and punycode
Note that it is quite easy to spoof the link you see at the bottom by using the real link in the href attribute and use an onclick or event handler to go to the fake URL.
Using the href is easy, but there are other ways to intercept and modify the actual outcome
Using the href is easy, but there are other ways to intercept and modify the actual outcome