1438114 - IDN policy bug

Status: RESOLVED DUPLICATE of bug 1349316

(Firefox :: General, defect)

Description

[andreadari91]

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.167 Safari/537.36

Steps to reproduce:

Firefox 52.6.0 ESR does not properly show this link: http://www.airfrạnce.com/ (ATTENTION: should be malicious) in punycode format, it contains a latin unicode character the ( ạ , U+1EA1 ) easily confused with a normal a, making users think to visit the real website.

This is the punycode not shown of the site over: www.xn--airfrnce-rx0d.com

Comment 1

[:Gijs (he/him)]

This looks like a dupe of public bug 1349316 to me. Valentin?

Comment 2

[Valentin Gosu [:valentin] (he/him)]

(In reply to :Gijs from comment #1)
> This looks like a dupe of public bug 1349316 to me. Valentin?

Yes, it's a dupe. Btw, I don't have a bunch of cycles on hand right now, so if you could consider driving 1349316 I would really appreciate it!

Comment 3

[Jonathan Kew [:jfkthame]]

FWIW, even with the additional characters Chrome has decided (somewhat unilaterally/arbitrarily) to block, per bug 1349316 comment 7, this still wouldn't be affected, as U+1EA1 is required for Vietnamese. See Jungshik's comment there: "Note that U+1E9C - U+1EFF are left alone because they're used in Vietnamese. And, there are quite a lot of Latin letters with dot below in that range."

Comment 4

[andreadari91]

I have reported the same issue to Chromium's developers early today, let's see what they say...

This bug is currently exploited in the wild, so in my opinion is important to have a solution to it, even if this set of characters are used by Vietnamese language. In TLD like .com they should not to be used! and displayed in punycode.

Comment 5

[Daniel Veditz [:dveditz]]

Doesn't need to be hidden if it's a public attack site and known enough to get blocked by SafeBrowsing.