1363313 - clone of Bug #1332714: IDN Phishing using whole-script confusables on Windows and Linux

Status: RESOLVED DUPLICATE of bug 1332714

(Firefox :: Address Bar, defect, P3)

Description

[[:ewalavir]]

Attachment: Show punycode tricks without showing punycode

Sorry for cloning a bug, but I have "You are not allowed to make an additional comment on this bug." without further explanations.

I wanted to add that always showing the punycode is as unsatisfying as setting a won't fix: there should be a solution in the UI.

For example, the URL bar could show a (clickable-for-help) icon representative of the script used for the next letters. That way, all languages are equal and the user is shown what is going on. I thought about modifications of font weight and/or color but it doesn't seem as satisfying.

Here is a mockup: http://imgur.com/a/KfRn5

The idea is to show somewhat discreetly that the current script used and any changes happening. The algorithm for generating the icon has to be defined (I used the first two letters of Wikipedia page dedicated to the script in one language using it: "Latin script", "Кириллица" & "Ελληνικό αλφάβητο"). The drawback is that it doesn't automatically scale to languages using glyphs (mandarin, Japanese). Another solution can be to use the first two letters (in ASCII) from the ISO 15924 code for composing the icon.

I hope I could help a little on this user-security trap :)


+++ This bug was initially created as a clone of Bug #1332714 +++

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161209094039

Steps to reproduce:

See https://www.xn--80ak6aa92e.com/ - if you compare with https://www.apple.com/, URL looks identical on Windows and Linux. On OS X, the font is slightly different, and it is potentially possible to distinguish between the two.

The domain xn--80ak6aa92e.com is currently proxying requests to apple.com to demonstrate how difficult it is to distinguish the malicious domain. I will  take it offline in the near future.

This issue also exists in Chrome and has been reported to them as well. On Safari, the URL does not appear as "apple.com", likely because Safari interprets some of the characters as belonging to a different language.

Comment 1

[:Gijs (he/him)]

We restricted comments for a reason. There were multiple mailing list threads about this already, see e.g. https://groups.google.com/forum/#!topic/mozilla.dev.security/4cG5Dmi-lH0 . In future, please don't clone bugs (which spams everybody on the CC list of the original bug, creates noise in the bug database, and then spams everyone again when we try to clean up the noise). Apologies to the CC list of this bug.

Adding this kind of indicator was discussed already in bug 1332714 comment 54 and further.