Closed Bug 1256009 (CVE-2019-11721) Opened 4 years ago Closed 5 months ago

(punycode) homograph attacks with Κʻ / ĸ (U+0138, *Kra*)

Categories

(Core :: Networking, defect, P3)

45 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox68 --- fixed

People

(Reporter: u543083, Assigned: jfkthame)

References

Details

(Keywords: csectype-spoof, sec-moderate, Whiteboard: [necko-backlog][adv-main68+])

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0
Build ID: 20160303134406

Steps to reproduce:

Click on link with Unicode: Κʻ / ĸ (U+0138, *Kra*) instead of latin k.

Go to http://vĸ.com for example


Actual results:

Address bar shows this like unicode (vĸ.com)


Expected results:

Address bar should show this in punycode  (www.xn--v-tka.com)
Component: Untriaged → Location Bar
Panos, any thoughts on how we might prioritize this?  Should we ask Javaun?
Status: UNCONFIRMED → NEW
Ever confirmed: true
Sorry, I missed this in my bugmail flood. I don't think we want to display punycode instead of unicode domain names in the location bar, every other browser behaves the same. Dan/Tanvi isn't there prior discussion about this?
Flags: needinfo?(tanvi)
Flags: needinfo?(dveditz)
I am not aware of previous discussions on this.  Dan?
Flags: needinfo?(tanvi)
(In reply to Panos Astithas [:past] from comment #2)
> I don't think we want to display punycode instead of unicode domain names in
> the location bar, every other browser behaves the same. Dan/Tanvi isn't there
> prior discussion about this?

Tons of discussion. You're right that we don't want to display punycode when we don't have to, but we also have a bunch of rules about what constitutes a "confusable" label that needs to be displayed in punycode. The main rule is disallowing "script mixing" such as latin with cyrillic. In this case, though, \u0138 is still considered "latin", and allowed to mix with the latin 'v' without triggering punycode display. Unfortunate!

What are our options?
 - live with it, as we live with "paypa1.com"
 - blacklist that letter -- no one with that character can have a nice-looking domain
 - ??
Component: Location Bar → Networking
Flags: needinfo?(dveditz)
Product: Firefox → Core
Flags: needinfo?(gerv)
(In reply to Daniel Veditz [:dveditz] from comment #4)
> What are our options?
>  - live with it, as we live with "paypa1.com"
>  - blacklist that letter -- no one with that character can have a
> nice-looking domain
>  - ??

- Research the usage of this character and see if it's reasonable to get Unicode to add it (and maybe others) to the "historic" characters defined in http://unicode.org/Public/security/latest/xidmodifications.txt (these already include Latin letters such as ƿ, Ƕ, Ȝ etc). This would trigger punycode in the URL bar for us and other browsers that use a similar algorithm to ours.

My superficial research so far suggests this is justified: https://en.wikipedia.org/wiki/Kra_(letter) says "In 1973, a spelling reform replaced the use of kra in Greenlandic with Latin small letter q (and the associated Latin capital letter with Q)"
Simon's solution is the correct one in the long term. And I'm not sure Unicode spoofing is such an on-fire internet problem that we need a different short-term fix. :smontagu: do you know what the correct channel is for submitting this request for consideration?

Gerv
Flags: needinfo?(gerv) → needinfo?(smontagu)
(In reply to Gervase Markham [:gerv] from comment #6)
> :smontagu: do you know what the correct channel is
> for submitting this request for consideration?

http://unicode.org/reporting.html is the formal channel. There is also a link there to the public email list, which can be a good source of informal feedback.
Flags: needinfo?(smontagu)
Putting for now to necko-backog
Whiteboard: [necko-backlog]
I just sent the following in via that form:


See https://bugzilla.mozilla.org/show_bug.cgi?id=1256009 . We think that Unicode: Κʻ / ĸ (U+0138, *Kra*) should be added to the "historic" characters defined in http://unicode.org/Public/security/latest/xidmodifications.txt.

Our research suggests this is justified: https://en.wikipedia.org/wiki/Kra_(letter) says "In 1973, a spelling reform replaced the use of kra in Greenlandic with Latin small letter q (and the associated Latin capital letter with Q)".

This is an issue because it's a homograph for k, but is considered a Latin letter, and so script mixing algorithms don't disallow domain names such as http://vĸ.com.

Thanks,

Gerv
(Mozilla)
Rick McGowan <rick@unicode dot org> emailed me to say:

"Hello.

At the recent UTC meeting I was directed to let you know that the editor of UTS #39 will make appropriate changes as suggested.

Regards,"

Gerv
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3

Jonathan: in comment 10 the Unicode folks told Gerv they were going to list this character, but I don't see that (the multitude of specifications and data files is confusing, though). In any case we're still supporting this character and it's pretty spoofy. Can we just go ahead and add it to netwerk/dns/IDNCharacterBlocklist.inc ?

Flags: needinfo?(jfkthame)

Yes, I think that would be fine for now.

I sent a query about this to the Unicode technical committee, and it appears to have slipped through the cracks during UTS 39 revisions. By the time of Gerv's feedback, there had been substantial restructuring of the data, such that the file xidmodifications.txt and the category "historic" no longer existed, and it seems this was overlooked in the transition and updates.

I expect we can get this fixed upstream, but it'll take time to work through the process. Meanwhile, adding it to our blocklist would be the more immediate solution.

Flags: needinfo?(jfkthame)
Pushed by jkew@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4bcfd40cc3a8
Add U+0138 to IDN character blocklist. r=valentin
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Assignee: nobody → jfkthame
QA Whiteboard: [qa-68b-p2]
Whiteboard: [necko-backlog] → [necko-backlog][adv-main68+]
Alias: CVE-2019-11721
You need to log in before you can comment on or make changes to this bug.