Closed Bug 233865 Opened 21 years ago Closed 9 years ago

URL: DNS: very long domain name (VLDN) as spoofing

Categories

(Firefox :: Address Bar, defect)

Product:
Firefox
Component:
Address Bar
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: benc, Unassigned)

References

(
URL
)

Details

(mentioned in several places, including bug 232567#c2)

A URL that has a very long domain name can sometimes be used to deceive a user:

The general confusion is created by either user ignorance of the URL syntax
(where does the hostname begin and end?) and is possibly aided by UI that
truncates the hostname.

http://www.microsoft.com.windows.2000.badsite.com

There are several aspects of this that should be noted.

1- what are valid characters in the hostname? are there characters that could be
used to suggest, visually, that a hostname has ended (when syntactically it has
not)?
2- are UI elements doing any unescaping or filtering of hostname charaacters
that change the displayed URL -or- confuse users?
3- are there UI elements that are truncating (edge of text box or "..." after a
certain length)?

If necessary to avoid drift, if these items become full blown issues that need
to be fixed via patch, lets break out new bugs quickly.

NOTE:
This threat is probably a lower priority than the other two issues (bug 232567
and bug 122445), because in most cases there is a clear line of authority both
for who configured the spoof, and who can turn it off. A hostmaster would have
to either delgate a subdomain or have made the configuration themselves. The
spoofing domain is likely a trademark or other intelectual property violation
that can be quickly addressed through legal channels, and/or cutting off the
offending domain at the TLD.
There is also problem with showing long URLs at all.
See bug 265551 .
Assignee: darin → nobody
QA Contact: benc → networking
Component: Networking → Location Bar
Product: Core → Firefox
Considering the lock indicators, the control panel and the url hilighting, I'm not sure if this bug deserves to still be around.
If it would have some suggested actions or actionable item, then it may be useful but like this... May we close it?
Flags: needinfo?(dveditz)
We've introduced many anti-spoofing measures over the years. Probably can do more but we'd need more specific enhancement bugs.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.