Open Bug 1617385 Opened 5 years ago Updated 2 years ago

[IDN Phishing] Protect against phishing using IDN homoglyphs when reading mail

Categories

(Thunderbird :: Security, enhancement)

Product:
Thunderbird
Component:
Security
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: vesely, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

Steps to reproduce:

Receive a message where the (possibly authenticated) domain name in the From: field contains a mix of Western characters and Russian or Greek characters that can be used to create homoglyphs, such as, for example, 'о' (U+043E) and 'ⲟ' (U+2C9F).

Actual results:

The counterfeit is not highlighted.

Expected results:

This specific kind of homoglyphs should be detected by a specific function that signals language mixes. See also bug #1504526.

That function won't catch stuff like rnicrosoft or MICR0S0FT, that's a different kind of homoglyphs.

Given that you're many times just put the real (fake) address as from, it's not clear that adds too much value though.

(In reply to Magnus Melin [:mkmelin] from comment #1)

Given that you're many times just put the real (fake) address as from, it's not clear that adds too much value though.

Correct, it is not a cure-all. However, for example, a bank could have a DMARC record with p=reject, asking receivers to bounce non-authenticated messages. Obviously, a receiver can only retrieve that DMARC record if the From: trn@bank.com has the correct domain part. A phisher can then send messages with From: trn@bаnk.com, which is not what it looks, and which can have suitable DMARC record and DKIM signature by the bad guys.

Without anti-homoglyphs provisions, the whole email authentication circus collapses miserably.

Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Thunderbird deserves a cute anti-phishing domain name check → [IDN Phishing] Protect against phishing using IDN homoglyphs when reading mail

Actually, DKIM means that today many times the From: domain will be verified.
But even if I know that the From: is not trusted, but our users don't know that. Phishing is a real thing.

The phishing discussion happened for Firefox shortly after IDNs were introduced. Phishers did the same in browsers, pretending to me Amazon and Google and eBay and whatnot, offered login dialogs, and let people send them their passwords.
Usually, people get there by phishing email. So, the risk for phishing in email is much higher than on the web. Yet, even in the browser, it was considered a large enough problem to add specific protections against homoglyphs. The solution was that if the IDN contains characters that look very similar to ASCII characters, it will not show the confusing character, but the more technical encoding.
We can probably leverage the very same code that Firefox uses here.

This would be important to fix. IDN support is in fact dangerous for all users (even those who do not care about IDN) unless this is fixed.
Alias

Component: Untriaged → Security

I'm not sure about showing punycode.

In general, it is probably possible to create homoglyphs using just Cyrillic, say. That is, without mixing western characters. In that case, the suspicion level can differ if the TLD is .com rather than .ru. Of course, mixed alphabets rise even more suspicion. However, legitimate mixed case domain names may exist.

How about some kind of color encoding? I mean, for example, use red for Russian, orange for Greek, and so forth. That would identify mixed alphabets but still be readable. It could also be useful outside of phishing prevention. For example, when I happen to see ideograms, I'm unable to tell Chinese from Japanese. I they where, say, blue and green I could easily identify them.

We should simply do whatever Firefox does.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.