MozillaZine

VerifyURL 0.4, now with IDN decoding

Talk about add-ons and extension development.
InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted August 5th, 2004, 1:16 pm

This is simply the "Verify URL" bookmarklet converted into a menu item.
Code: Select all
javascript:alert('The real host of this site is: ' + location.protocol + '//' + location.hostname + '/');


It adds a "VerifyURL" context menu item. This simply creates a javascript alert box showing the true hostname of the site.
Image

This gives you access to your verification bookmarklet even if your bookmarks aren't handy. This works on the spoofs at http://www.nd.edu/~jsmith30/xul/test/spoof.html for example.

This isn't intended to be anything major, just an easy way to add one more verification step. If you're setting a newbie up with Firefox, this may be something you want to add.

Giving credit where it's due, I used the BugMeNot extension as a template for creating this. I also found the bookmarklet on some site a while ago (shortly after http://username@server.com/ URLs were removed from IE), though I tweaked mine since then.

Version 0.2 up now
Added a toolbar button for the function.

Version 0.4 up now
Added IDN decoding
Last edited by InvisiBill on February 11th, 2005, 4:04 pm, edited 4 times in total.

AnonEmoose
 
Posts: 2031
Joined: February 6th, 2004, 11:59 am

Post Posted August 5th, 2004, 9:53 pm

nice work ..... along the line of my post here
http://forums.mozillazine.org/viewtopic ... 224#690224

a suggestion if i may... include a button that can be added to the menu/toolbar... Users can then place it on thier uppermost menu bar... (or if they put it lower toolbar the lack of the button is surely an indication to be alert)

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted August 5th, 2004, 11:15 pm

By all means, make suggestions. =)

I'm still a relative newb to all this, and learn by examing how other extensions work. I'll take a look at some stuff and see about adding a toolbar widget for it too.

I chose the context menu because that was still 100% available on that spoofed page, even when my bookmarklet in my bookmarks toolbar wasn't.

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted August 6th, 2004, 9:20 am

Version 0.2 is available now, with a toolbar button.

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted August 11th, 2004, 12:32 pm

This seems to be very similar to SpoofStick, though I've never actually used it. SpoofStick appears to create another bar with the info, while VerifyURL pops the info up in a dialog as requested from the context menu or toolbar button.

StealthTiger
 
Posts: 71
Joined: February 29th, 2004, 1:11 pm
Location: Chicago

Post Posted August 11th, 2004, 7:14 pm

Very nice extension! I like the toolbar button. Hmmm...now I have to decide if I want to use Spoofstick, too.

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted February 11th, 2005, 4:02 pm

VerifyURL is up to 0.4 now. It now decodes IDNs, the latest spoof that everyone's been worried about.

http://invisibill.mozdev.org/verifyurl/ is still where it lives (and it actually has some info now).

Here's what Secunia's Paypal spoof (http://www.paypаl.com/) looks like:
Image

I have to admit, the new version of SpoofStick is very nice. It's much more configurable, so you're able to simply show the hostname on a toolbar (like next to your menu items). Since it can still provide the necessary info in a much less intrusive way (it doesn't require its own toolbar now), I highly recommend it. I'll probably install it on my parents' machine. However, some people may still prefer VerifyURL, so I added the IDN decoding stuff.

For anyone interested, http://www.xulplanet.com/references/xpc ... vice1.html and http://www.xulplanet.com/references/xpc ... rvice.html have info on the IDN service commands.

jbash
 
Posts: 101
Joined: November 17th, 2003, 1:39 pm
Location: Chicago

Post Posted February 11th, 2005, 5:43 pm

FWIW I couldn't get the new version:
The requested URL /pub/mozdev/invisibill/verifyurl_0.4.xpi was not found on this server.

thorazine
 
Posts: 70
Joined: September 19th, 2004, 10:07 am

Post Posted February 12th, 2005, 2:32 am

Very good!

I think this should be included in the standard firefox Page Info dialog box by default with some warning in bold red characters when the page's URL doesnt match the real host.

InvisiBill

User avatar
 
Posts: 1632
Joined: August 27th, 2003, 1:42 pm
Location: Michigan

Post Posted February 12th, 2005, 5:34 am

jbash wrote:FWIW I couldn't get the new version:
The requested URL /pub/mozdev/invisibill/verifyurl_0.4.xpi was not found on this server.

MozDev has an automatic mirror system. You were probably sent to a server that didn't get the file yet. Try http://downloads.mozdev.org/invisibill/ ... rl_0.4.xpi again, and hopefully you'll get a working server.

thorazine wrote:Very good!

I think this should be included in the standard firefox Page Info dialog box by default with some warning in bold red characters when the page's URL doesnt match the real host.

That's not really possible. The URL has to match the host, by definition. If the host didn't match, it would be a different URL. My extension and SpoofStick both just cut out the extra confusing stuff from the URL, so it's easier for people to see whether it's really the site they think it is. There's nothing in either one that shows if something is good or bad. It just simplifies things so the user can make a better decision.

Sealord

User avatar
 
Posts: 38
Joined: July 10th, 2004, 8:58 am

Post Posted February 12th, 2005, 12:59 pm

InvisiBill wrote:VerifyURL is up to 0.4 now. It now decodes IDNs, the latest spoof that everyone's been worried about.


I like your new extension. Thanks.

I use Greasemonkey (mentioned by Serlio Feb 8th 2005 11:07am) to warn me with an alert and then if there is one use VerifyURL to see what is wrong. The Greasemonkey script I use is:
(function (){
if (document.location.href.search(/[^\x20-\x7E]/) >= 0) {

alert ... etc

Is it possible to "tack" that into the script you wrote so that it will alert to a possible spoof and at the same time show the decoded IDN in the same alert popup?

Return to Extension Development


Who is online

Users browsing this forum: No registered users and 2 guests