Closed
Bug 1256009
(CVE-2019-11721)
Opened 8 years ago
Closed 5 years ago
(punycode) homograph attacks with Κʻ / ĸ (U+0138, *Kra*)
Categories
(Core :: Networking, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla68
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | fixed |
People
(Reporter: u543083, Assigned: jfkthame)
References
Details
(Keywords: csectype-spoof, sec-moderate, Whiteboard: [necko-backlog][adv-main68+])
Attachments
(2 files)
70a7f8e2c75f4e0c916cb587e56d39c8.png
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:45.0) Gecko/20100101 Firefox/45.0 Build ID: 20160303134406 Steps to reproduce: Click on link with Unicode: Κʻ / ĸ (U+0138, *Kra*) instead of latin k. Go to http://vĸ.com for example Actual results: Address bar shows this like unicode (vĸ.com) Expected results: Address bar should show this in punycode (www.xn--v-tka.com)
|
||
Comment 1•8 years ago
|
||
Panos, any thoughts on how we might prioritize this? Should we ask Javaun?
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 2•8 years ago
|
||
Sorry, I missed this in my bugmail flood. I don't think we want to display punycode instead of unicode domain names in the location bar, every other browser behaves the same. Dan/Tanvi isn't there prior discussion about this?
Flags: needinfo?(tanvi)
Flags: needinfo?(dveditz)
|
||
Comment 3•8 years ago
|
||
I am not aware of previous discussions on this. Dan?
|
|
||
Updated•8 years ago
|
Flags: needinfo?(tanvi)
|
||
Comment 4•8 years ago
|
||
(In reply to Panos Astithas [:past] from comment #2) > I don't think we want to display punycode instead of unicode domain names in > the location bar, every other browser behaves the same. Dan/Tanvi isn't there > prior discussion about this? Tons of discussion. You're right that we don't want to display punycode when we don't have to, but we also have a bunch of rules about what constitutes a "confusable" label that needs to be displayed in punycode. The main rule is disallowing "script mixing" such as latin with cyrillic. In this case, though, \u0138 is still considered "latin", and allowed to mix with the latin 'v' without triggering punycode display. Unfortunate! What are our options? - live with it, as we live with "paypa1.com" - blacklist that letter -- no one with that character can have a nice-looking domain - ??
Component: Location Bar → Networking
Flags: needinfo?(dveditz)
Product: Firefox → Core
|
|
||
Updated•8 years ago
|
Flags: needinfo?(gerv)
|
||
Comment 5•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #4) > What are our options? > - live with it, as we live with "paypa1.com" > - blacklist that letter -- no one with that character can have a > nice-looking domain > - ?? - Research the usage of this character and see if it's reasonable to get Unicode to add it (and maybe others) to the "historic" characters defined in http://unicode.org/Public/security/latest/xidmodifications.txt (these already include Latin letters such as ƿ, Ƕ, Ȝ etc). This would trigger punycode in the URL bar for us and other browsers that use a similar algorithm to ours. My superficial research so far suggests this is justified: https://en.wikipedia.org/wiki/Kra_(letter) says "In 1973, a spelling reform replaced the use of kra in Greenlandic with Latin small letter q (and the associated Latin capital letter with Q)"
|
||
Comment 6•8 years ago
|
||
Simon's solution is the correct one in the long term. And I'm not sure Unicode spoofing is such an on-fire internet problem that we need a different short-term fix. :smontagu: do you know what the correct channel is for submitting this request for consideration? Gerv
Flags: needinfo?(gerv) → needinfo?(smontagu)
|
|
||
Comment 7•8 years ago
|
||
(In reply to Gervase Markham [:gerv] from comment #6) > :smontagu: do you know what the correct channel is > for submitting this request for consideration? http://unicode.org/reporting.html is the formal channel. There is also a link there to the public email list, which can be a good source of informal feedback.
Flags: needinfo?(smontagu)
|
|
||
Comment 9•8 years ago
|
||
I just sent the following in via that form: See https://bugzilla.mozilla.org/show_bug.cgi?id=1256009 . We think that Unicode: Κʻ / ĸ (U+0138, *Kra*) should be added to the "historic" characters defined in http://unicode.org/Public/security/latest/xidmodifications.txt. Our research suggests this is justified: https://en.wikipedia.org/wiki/Kra_(letter) says "In 1973, a spelling reform replaced the use of kra in Greenlandic with Latin small letter q (and the associated Latin capital letter with Q)". This is an issue because it's a homograph for k, but is considered a Latin letter, and so script mixing algorithms don't disallow domain names such as http://vĸ.com. Thanks, Gerv (Mozilla)
|
|
||
Comment 10•7 years ago
|
||
Rick McGowan <rick@unicode dot org> emailed me to say: "Hello. At the recent UTC meeting I was directed to let you know that the editor of UTS #39 will make appropriate changes as suggested. Regards," Gerv
|
||
Comment 11•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: -- → P1
|
|
||
Comment 12•7 years ago
|
||
Bulk change to priority: https://bugzilla.mozilla.org/show_bug.cgi?id=1399258
Priority: P1 → P3
|
|
||
Updated•5 years ago
|
Keywords: csectype-spoof,
sec-moderate
|
|
||
Comment 14•5 years ago
|
||
Jonathan: in comment 10 the Unicode folks told Gerv they were going to list this character, but I don't see that (the multitude of specifications and data files is confusing, though). In any case we're still supporting this character and it's pretty spoofy. Can we just go ahead and add it to netwerk/dns/IDNCharacterBlocklist.inc ?
Flags: needinfo?(jfkthame)
|
Assignee | |
Comment 15•5 years ago
|
||
Yes, I think that would be fine for now.
I sent a query about this to the Unicode technical committee, and it appears to have slipped through the cracks during UTS 39 revisions. By the time of Gerv's feedback, there had been substantial restructuring of the data, such that the file xidmodifications.txt and the category "historic" no longer existed, and it seems this was overlooked in the transition and updates.
I expect we can get this fixed upstream, but it'll take time to work through the process. Meanwhile, adding it to our blocklist would be the more immediate solution.
Flags: needinfo?(jfkthame)
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
||
Comment 17•5 years ago
|
||
Pushed by jkew@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4bcfd40cc3a8 Add U+0138 to IDN character blocklist. r=valentin
|
||
Comment 18•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox68:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
|
||
Updated•5 years ago
|
Assignee: nobody → jfkthame
|
||
Updated•5 years ago
|
QA Whiteboard: [qa-68b-p2]
|
||
Updated•5 years ago
|
Whiteboard: [necko-backlog] → [necko-backlog][adv-main68+]
|
|
||
Updated•5 years ago
|
Alias: CVE-2019-11721
You need to log in
before you can comment on or make changes to this bug.
Description
•