Closed Bug 281474 Opened 20 years ago Closed 20 years ago

International Domain Names (IDN) may be used to spoof ligitimate websites

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 279099

People

(Reporter: support, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0 Domain names that contain mixed characters (i.e. from Latin and non-Latin alphabets) can be easily used to spoof legitimate websites. For example (taken from the website quoted in the URL above), the character entity &#1072; is a letter from a Cyrillic alphabet that looks exactly like the latin character 'a'. As a result of this, this link will take you to a secure website that is identified by a URL www.paypal.com, but is not affiliated with PayPal. <a href='https://www.p&#1072;ypal.com/'>www.p&#1072;ypal.com</a> FireFox *must*: * display IDN's in different color or use some other visual aid to inform user that the URL contains non-Latin characters * display both, encoded (ASCII) and decoded (in native language) domain names in the lower right corner, by the padlock * display domian names with mixed alphabets (i.e. Latin and non-Latin) in red as a potential security risk Reproducible: Always Steps to Reproduce: 1. Create HTML with the following link: <a href='https://www.p&#1072;ypal.com/'>www.p&#1072;ypal.com</a> 2. Request the page you just created and click on the link Note that if the target domain name ceases to exist, this link will not show a valid page. This link is taken from the page located at the URL quoted above. Actual Results: You see a website identified by a URL that looks exactly like www.paypal.com, but pointing to some other domain. Expected Results: FireFox *must*: * display IDN's in different color or use some other visual aid to inform user that the URL contains non-Latin characters * display both, encoded (ASCII) and decoded (in native language) domain names in the lower right corner, by the padlock * display domian names with mixed alphabets (i.e. Latin and non-Latin) in red as a potential security risk
*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
No need for the confidential flag on bugs derived from public reports
Group: security
You need to log in before you can comment on or make changes to this bug.