Homograph warning

About the recent alerts on phishing pages using homographs
(https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/)
etc.  I know FF has netroek.IDN_show_punycode which is a good
start, but it would be nice if FF could show such URLs even more
eye-catchingly. Is there an add-on that  could
   a) color the mouseover test on such links in  a alerting colour/style
       (blinking orange/red or such)
   b) do the same with links containing homographs
   c) do the same in the URL bar (similar to the HTTP/HTTPS alerts )


0
Mathias
4/19/2017 10:18:30 AM
mozilla.support.firefox 24036 articles. 6 followers. Post Follow

5 Replies
125 Views

Similar Articles

[PageSpeed] 39

On 2017-04-19 06:18, Mathias Korber wrote:
> About the recent alerts on phishing pages using homographs
> (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing=
/)
> etc.  I know FF has netroek.IDN_show_punycode which is a good
> start, but it would be nice if FF could show such URLs even more
> eye-catchingly. Is there an add-on that  could
>    a) color the mouseover test on such links in  a alerting colour/styl=
e
>        (blinking orange/red or such)
>    b) do the same with links containing homographs
>    c) do the same in the URL bar (similar to the HTTP/HTTPS alerts )

What do you mean by "homograph"? I understand it to mean two words=20
spelled the same but pronounced differently, eg bow, wound, invalid, etc.=


--=20
Wolf K.
https://kirkwood40.blogspot.com
"What good is it having lower taxes when you can=E2=80=99t drink the wate=
r?=E2=80=9D

0
Wolf
4/20/2017 2:30:09 PM
Wolf K. wrote:
> On 2017-04-19 06:18, Mathias Korber wrote:
>> About the recent alerts on phishing pages using homographs
>> (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/)
>> etc.  I know FF has netroek.IDN_show_punycode which is a good
>> start, but it would be nice if FF could show such URLs even more
>> eye-catchingly. Is there an add-on that  could
>>    a) color the mouseover test on such links in  a alerting colour/style
>>        (blinking orange/red or such)
>>    b) do the same with links containing homographs
>>    c) do the same in the URL bar (similar to the HTTP/HTTPS alerts )
> 
> What do you mean by "homograph"? I understand it to mean two words 
> spelled the same but pronounced differently, eg bow, wound, invalid, etc.
> 
The word got adopted by the CS community to describe a related issue - 
use of unicode to spoof ascii strings.  See: 
https://www.theregister.co.uk/2017/04/18/homograph_attack_again/
0
Millwood
4/20/2017 2:41:38 PM
On 2017-04-20 10:41, Millwood wrote:
> Wolf K. wrote:
>> On 2017-04-19 06:18, Mathias Korber wrote:
>>> About the recent alerts on phishing pages using homographs
>>> (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishi=
ng/)
>>> etc.  I know FF has netroek.IDN_show_punycode which is a good
>>> start, but it would be nice if FF could show such URLs even more
>>> eye-catchingly. Is there an add-on that  could
>>>    a) color the mouseover test on such links in  a alerting colour/st=
yle
>>>        (blinking orange/red or such)
>>>    b) do the same with links containing homographs
>>>    c) do the same in the URL bar (similar to the HTTP/HTTPS alerts )
>>
>> What do you mean by "homograph"? I understand it to mean two words
>> spelled the same but pronounced differently, eg bow, wound, invalid, e=
tc.
>>
> The word got adopted by the CS community to describe a related issue -
> use of unicode to spoof ascii strings.  See:
> https://www.theregister.co.uk/2017/04/18/homograph_attack_again/

OK, thanks.

--=20
Wolf K.
https://kirkwood40.blogspot.com
"What good is it having lower taxes when you can=E2=80=99t drink the wate=
r?=E2=80=9D

0
Wolf
4/20/2017 4:30:34 PM
Mathias Korber <mathias@koerber.org> wrote:

> About the recent alerts on phishing pages using homographs
> (https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/)
> etc.  I know FF has netroek.IDN_show_punycode which is a good
> start, but it would be nice if FF could show such URLs even more
> eye-catchingly. Is there an add-on that  could
>    a) color the mouseover test on such links in  a alerting colour/style
>        (blinking orange/red or such)
>    b) do the same with links containing homographs
>    c) do the same in the URL bar (similar to the HTTP/HTTPS alerts )

While it does not blare out an alert that a URL is using punycode, you
can change the following setting in about:config:

network.IDN_show_punycode
  false (default) = you get to see the converted value 
  true = you get to see the actual URL
  
For example, from the article mentioned in the "Homograph warning"
thread at:

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

and with network.IDN_show_punycode = true, instead of seeing
"https://www.epic.com/" in the popup on mouse hover, you would see
"https://xn--e1awd7f.com".

Then, when you hover over a URL, instead of getting the converted value
which can mislead you, the actual punycode value for the URL is shown in
the popup.  So you could hover the mouse over a URL and check the URL
popup (lower right) to see to where you would be going if clicked.  

http://kb.mozillazine.org/Network.IDN_show_punycode

My guess is false was the default to somehow make it easy for user to
see a human-readable or recognizable URL.  For safety, however, seems
the default should've been true (to show the punycode version of the
URL).  However, that setting does not help when non-ASCII characters are
substituted as lookalikes.

https://wiki.mozilla.org/IDN_Display_Algorithm

says "characters in a label all come from the same script".  Maybe
"script" means "character set".

Personally I know of no sites that I visit that require the use of
punycoded-encoded URLs.  None of my 600+ bookmarks use punycode.  I did
a search in about:config on "puny" to see if there was a setting to
disable punycoding altogether.  Nope, none found.  With the setting
changed from its default of false (show interpreted URL) to true (show
punycode version of URL), I'll have to remember from now on to hover
over the URL and peek at the popup to make sure of where I would go.
0
VanguardLH
4/23/2017 12:18:07 AM
VanguardLH <V@nguard.LH> Wrote in message:
> Mathias Korber <mathias@koerber.org> wrote:
>  <long snip>
> http://kb.mozillazine.org/Network.IDN_show_punycode
> 
> My guess is false was the default to somehow make it easy for user to
> see a human-readable or recognizable URL.  For safety, however, seems
> the default should've been true (to show the punycode version of the
> URL).  However, that setting does not help when non-ASCII characters are
> substituted as lookalikes.
> 
This blog entry discussesthe original justification, and there's
 a link to an example site (proof of concept):
< http://tenfourfox.blogspot.co.uk/2017/04/the-bites-back.html>

BTW I found that the pref was set to true in this Android version
 of Fx, but false in wife's Windows instance.
0
Dave
4/24/2017 6:23:10 AM
Reply: