Closed Bug 281474 Opened 20 years ago Closed 20 years ago

International Domain Names (IDN) may be used to spoof ligitimate websites

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows Server 2003
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 279099

People

(Reporter: support, Assigned: bugzilla)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Domain names that contain mixed characters (i.e. from Latin and non-Latin
alphabets) can be easily used to spoof legitimate websites. For example (taken
from the website quoted in the URL above), the character entity а is a
letter from a Cyrillic alphabet that looks exactly like the latin character 'a'.
As a result of this, this link will take you to a secure website that is
identified by a URL www.paypal.com, but is not affiliated with PayPal. 

<a href='https://www.p&#1072;ypal.com/'>www.p&#1072;ypal.com</a>

FireFox *must*:
   * display IDN's in different color or use some other visual aid to inform
user that the URL contains non-Latin characters

   * display both, encoded (ASCII) and decoded (in native language) domain names
in the lower right corner, by the padlock 

   * display domian names with mixed alphabets (i.e. Latin and non-Latin) in red
as a potential security risk

Reproducible: Always

Steps to Reproduce:
1. Create HTML with the following link: 
<a href='https://www.p&#1072;ypal.com/'>www.p&#1072;ypal.com</a>
2. Request the page you just created and click on the link

Note that if the target domain name ceases to exist, this link will not show a
valid page. This link is taken from the page located at the URL quoted above. 

Actual Results:  
You see a website identified by a URL that looks exactly like www.paypal.com,
but pointing to some other domain. 

Expected Results:  
FireFox *must*:
   * display IDN's in different color or use some other visual aid to inform
user that the URL contains non-Latin characters

   * display both, encoded (ASCII) and decoded (in native language) domain names
in the lower right corner, by the padlock 

   * display domian names with mixed alphabets (i.e. Latin and non-Latin) in red
as a potential security risk

*** This bug has been marked as a duplicate of 279099 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
No need for the confidential flag on bugs derived from public reports
Group: security
You need to log in before you can comment on or make changes to this bug.