VerifyURL 0.4, now with IDN decoding

Talk about add-ons and extension development.
Post Reply
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

VerifyURL 0.4, now with IDN decoding

Post by InvisiBill »

This is simply the "Verify URL" bookmarklet converted into a menu item.

Code: Select all

javascript:alert('The real host of this site is: ' + location.protocol + '//' + location.hostname + '/');


It adds a "VerifyURL" context menu item. This simply creates a javascript alert box showing the true hostname of the site.
Image

This gives you access to your verification bookmarklet even if your bookmarks aren't handy. This works on the spoofs at http://www.nd.edu/~jsmith30/xul/test/spoof.html for example.

This isn't intended to be anything major, just an easy way to add one more verification step. If you're setting a newbie up with Firefox, this may be something you want to add.

Giving credit where it's due, I used the BugMeNot extension as a template for creating this. I also found the bookmarklet on some site a while ago (shortly after http://username@server.com/ URLs were removed from IE), though I tweaked mine since then.

Version 0.2 up now
Added a toolbar button for the function.

Version 0.4 up now
Added IDN decoding
Last edited by InvisiBill on February 11th, 2005, 4:04 pm, edited 4 times in total.
AnonEmoose
Posts: 2031
Joined: February 6th, 2004, 11:59 am

Post by AnonEmoose »

nice work ..... along the line of my post here
http://forums.mozillazine.org/viewtopic ... 224#690224

a suggestion if i may... include a button that can be added to the menu/toolbar... Users can then place it on thier uppermost menu bar... (or if they put it lower toolbar the lack of the button is surely an indication to be alert)
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

Post by InvisiBill »

By all means, make suggestions. =)

I'm still a relative newb to all this, and learn by examing how other extensions work. I'll take a look at some stuff and see about adding a toolbar widget for it too.

I chose the context menu because that was still 100% available on that spoofed page, even when my bookmarklet in my bookmarks toolbar wasn't.
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

Post by InvisiBill »

Version 0.2 is available now, with a toolbar button.
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

Post by InvisiBill »

This seems to be very similar to SpoofStick, though I've never actually used it. SpoofStick appears to create another bar with the info, while VerifyURL pops the info up in a dialog as requested from the context menu or toolbar button.
StealthTiger
Posts: 71
Joined: February 29th, 2004, 1:11 pm
Location: Chicago

Post by StealthTiger »

Very nice extension! I like the toolbar button. Hmmm...now I have to decide if I want to use Spoofstick, too.
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

Post by InvisiBill »

VerifyURL is up to 0.4 now. It now decodes IDNs, the latest spoof that everyone's been worried about.

http://invisibill.mozdev.org/verifyurl/ is still where it lives (and it actually has some info now).

Here's what Secunia's Paypal spoof (http://www.paypаl.com/) looks like:
Image

I have to admit, the new version of SpoofStick is very nice. It's much more configurable, so you're able to simply show the hostname on a toolbar (like next to your menu items). Since it can still provide the necessary info in a much less intrusive way (it doesn't require its own toolbar now), I highly recommend it. I'll probably install it on my parents' machine. However, some people may still prefer VerifyURL, so I added the IDN decoding stuff.

For anyone interested, http://www.xulplanet.com/references/xpc ... vice1.html and http://www.xulplanet.com/references/xpc ... rvice.html have info on the IDN service commands.
jbash
Posts: 101
Joined: November 17th, 2003, 1:39 pm
Location: Chicago
Contact:

Post by jbash »

FWIW I couldn't get the new version:
The requested URL /pub/mozdev/invisibill/verifyurl_0.4.xpi was not found on this server.
thorazine
Posts: 70
Joined: September 19th, 2004, 10:07 am

Post by thorazine »

Very good!

I think this should be included in the standard firefox Page Info dialog box by default with some warning in bold red characters when the page's URL doesnt match the real host.
InvisiBill
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan
Contact:

Post by InvisiBill »

jbash wrote:FWIW I couldn't get the new version:
The requested URL /pub/mozdev/invisibill/verifyurl_0.4.xpi was not found on this server.

MozDev has an automatic mirror system. You were probably sent to a server that didn't get the file yet. Try http://downloads.mozdev.org/invisibill/ ... rl_0.4.xpi again, and hopefully you'll get a working server.

thorazine wrote:Very good!

I think this should be included in the standard firefox Page Info dialog box by default with some warning in bold red characters when the page's URL doesnt match the real host.

That's not really possible. The URL has to match the host, by definition. If the host didn't match, it would be a different URL. My extension and SpoofStick both just cut out the extra confusing stuff from the URL, so it's easier for people to see whether it's really the site they think it is. There's nothing in either one that shows if something is good or bad. It just simplifies things so the user can make a better decision.
User avatar
Sealord
Posts: 38
Joined: July 10th, 2004, 8:58 am

Post by Sealord »

InvisiBill wrote:VerifyURL is up to 0.4 now. It now decodes IDNs, the latest spoof that everyone's been worried about.


I like your new extension. Thanks.

I use Greasemonkey (mentioned by Serlio Feb 8th 2005 11:07am) to warn me with an alert and then if there is one use VerifyURL to see what is wrong. The Greasemonkey script I use is:
(function (){
if (document.location.href.search(/[^\x20-\x7E]/) >= 0) {

alert ... etc

Is it possible to "tack" that into the script you wrote so that it will alert to a possible spoof and at the same time show the decoded IDN in the same alert popup?
Post Reply