Closed Bug 1383381 Opened 8 years ago Closed 8 years ago

IDN is displayed in the preferences even for URLs for which we would display punycode in the url bar (leading to homograph-based "risks")

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: jcpatel.bugfinder, Unassigned)

Details

Hi there, Mozilla browser effected from homograph attack. when we add a site to our Homepage, it's not validate a url properly, make sure it's display the punycode. Steps To Reproduce: In browser go to option -> General -> add homepage with IDN http://ebаy.com/ now close and open browser again you can see it's redirect to http://xn--eby-7cd.com/ References: https://hackerone.com/reports/29491 https://hackerone.com/reports/175286 Fix : when we add homepage url, make sure it's display the punycode. Same attack reported in Brave Software browser they fixed that here the link of that https://hackerone.com/reports/175286 Cheers, jay
Group: core-security → firefox-core-security
Component: Build Config → Preferences
Product: Core → Firefox
If the URL bar displays it correctly, it's not clear to me how what the preferences display is security-relevant. The MO of a homograph attack is spoofing, but there's nothing to be gained from this spoofing inside the preferences itself as no websites can influence what is happening inside the prefs, only from spoofing in the URL bar (when websites can influence what's happening in the content area of the browser and thus benefit from the spoofed URL). From a quick read (and I could be wrong here), Brave's changes make their preferences always display punycode, thus making IDN useless. This is a path that, at least up until this point, Mozilla has decided not to take. Given the above, this doesn't need to be sec-sensitive, and I'm tempted to close as wontfix. Let's see what Jared thinks.
Group: firefox-core-security
Severity: critical → normal
Flags: needinfo?(jaws)
Summary: Homograph attack → IDN is displayed in the preferences even for URLs for which we would display punycode in the url bar (leading to homograph-based "risks")
Yeah, I don't have a solid feeling either way on this, because IDN is nice for user-typed pages, users may not have to look much at the address bar as long as what they wanted to type shows up in the text box. Would we convert to punycode after the text box loses focus? How do we explain that to users? Asking a user to copy/paste a malicious URL and open preferences, only to eventually get that page to load upon the next visit to the home page seems like a lot of steps when there are simpler ways to attack users. I don't think this is worth changing.
Flags: needinfo?(jaws)
wontfixing per comments #1 and #2, then. :-)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Punycode is not supposed to be exposed to users; we only do this when there's a known problem, and only because there isn't a better solution. It's definitely not right to display the home page URL in always-punycode in the Prefs. Gerv
You need to log in before you can comment on or make changes to this bug.