Hello, does someone know if/when SeaMonkey and Firefox will get a patch to show the real URL when using punycode? Just as in Safari :-) Check this: https://www.еріс.com/ it's "https://xn--e1awd7f.com/" Explanation: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
![]() |
0 |
![]() |
The current "patch" is just a flipped pref which you can flip yourself in about:config Set network.IDN_show_punycode to true. Other than setting this as the default I do not know how this could be fixed differently by anyone. Maybe putting an icon or something in the status bar. Firefox will likely add another doorhanger because they got rid of the status bar and now clutter the location bar to make it finally unusable... FRG Gabriel wrote: > Hello, > > does someone know if/when SeaMonkey and Firefox will get a patch to show the > real URL when using punycode? Just as in Safari :-) > > Check this: https://www.еріс.com/ > it's "https://xn--e1awd7f.com/" > > Explanation: > https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ > >
![]() |
0 |
![]() |
Should we: Set network.IDN_show_punycode to true. with our SeaMonkey program 2.46 or should we wait until a new version of SM change this value or do differently ? Frank-Rainer Grahl wrote on 15-04-17 20:05: > The current "patch" is just a flipped pref which you can flip yourself > in about:config > > Set network.IDN_show_punycode to true. > Other than setting this as the default I do not know how this could be > fixed differently by anyone. Maybe putting an icon or something in the > status bar. Firefox will likely add another doorhanger because they > got rid of the status bar and now clutter the location bar to make it > finally unusable... > FRG > > Gabriel wrote: >> Hello, >> >> does someone know if/when SeaMonkey and Firefox will get a patch to >> show the real URL when using punycode? Just as in Safari :-) >> >> Check this: https://www.еріс.com/ >> it's "https://xn--e1awd7f.com/" >> >> Explanation: >> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ >> >> >
![]() |
0 |
![]() |
I am no expert here but I can't how this can be fixed other than turning it on or showing a visible indicator that the domain name contains punycode aka is an internationalized domain name. I turned it on in my local builds and asked for opinions from the other SeaMonkey devs. My recommendation will be to turn it on for the upcoming 2.48 and then 2.49 ESR. Nothing new here and I have seen some phishing domains before using this but now every wannabe phishing idiot will try to get you with it. FRG Ray_Net wrote: > Should we: Set network.IDN_show_punycode to true. > with our SeaMonkey program 2.46 > or should we wait until a new version of SM change this value or do differently ? > > > Frank-Rainer Grahl wrote on 15-04-17 20:05: >> The current "patch" is just a flipped pref which you can flip yourself in >> about:config >> >> Set network.IDN_show_punycode to true. >> Other than setting this as the default I do not know how this could be fixed >> differently by anyone. Maybe putting an icon or something in the status bar. >> Firefox will likely add another doorhanger because they got rid of the >> status bar and now clutter the location bar to make it finally unusable... >> FRG >> >> Gabriel wrote: >>> Hello, >>> >>> does someone know if/when SeaMonkey and Firefox will get a patch to show >>> the real URL when using punycode? Just as in Safari :-) >>> >>> Check this: https://www.еріс.com/ >>> it's "https://xn--e1awd7f.com/" >>> >>> Explanation: >>> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ >>> >>> >> >
![]() |
0 |
![]() |
Changing the encoding to "Western" or "Central European" makes it clear something wierd is going on too. (Sorry, I think the last response went by email.) Frank-Rainer Grahl wrote: > I am no expert here but I can't how this can be fixed other than turning it on > or showing a visible indicator that the domain name contains punycode aka is > an internationalized domain name. > I turned it on in my local builds and asked for opinions from the other > SeaMonkey devs. My recommendation will be to turn it on for the upcoming 2.48 > and then 2.49 ESR. Nothing new here and I have seen some phishing domains > before using this but now every wannabe phishing idiot will try to get you > with it. > > FRG > > Ray_Net wrote: >> Should we: Set network.IDN_show_punycode to true. >> with our SeaMonkey program 2.46 >> or should we wait until a new version of SM change this value or do differently ? >> >> >> Frank-Rainer Grahl wrote on 15-04-17 20:05: >>> The current "patch" is just a flipped pref which you can flip yourself in >>> about:config >>> >>> Set network.IDN_show_punycode to true. >>> Other than setting this as the default I do not know how this could be fixed >>> differently by anyone. Maybe putting an icon or something in the status bar. >>> Firefox will likely add another doorhanger because they got rid of the >>> status bar and now clutter the location bar to make it finally unusable... >>> FRG >>> >>> Gabriel wrote: >>>> Hello, >>>> >>>> does someone know if/when SeaMonkey and Firefox will get a patch to show >>>> the real URL when using punycode? Just as in Safari :-) >>>> >>>> Check this: https://www.еріс.com/ >>>> it's "https://xn--e1awd7f.com/" >>>> >>>> Explanation: >>>> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/ >>>> >>>> >>> >> >
![]() |
0 |
![]() |
Frank-Rainer Grahl wrote on 15/04/17 20:05: > The current "patch" is just a flipped pref which you can flip yourself in > about:config > > Set network.IDN_show_punycode to true. > Other than setting this as the default I do not know how this could be fixed > differently by anyone. Maybe putting an icon or something in the status bar. > Firefox will likely add another doorhanger because they got rid of the status > bar and now clutter the location bar to make it finally unusable... I know about the manual preference change, but I think it would be better if the browser shown an alert or as you suggest a special icon near the URL; or just do as Safari and always show the "xn--".
![]() |
0 |
![]() |
On 4/20/17, Gabriel <user@domain.invalid> wrote: > Frank-Rainer Grahl wrote on 15/04/17 20:05: >> The current "patch" is just a flipped pref which you can flip yourself in >> about:config >> >> Set network.IDN_show_punycode to true. >> Other than setting this as the default I do not know how this could be >> fixed >> differently by anyone. Maybe putting an icon or something in the status >> bar. >> Firefox will likely add another doorhanger because they got rid of the >> status >> bar and now clutter the location bar to make it finally unusable... > > I know about the manual preference change, but I think it would be better if > the > browser shown an alert or as you suggest a special icon near the URL; or > just do > as Safari and always show the "xn--". +1 for always show the "xn--" altho who hasn't already set network.IDN_show_punycode to true? Lee
![]() |
0 |
![]() |
On 4/20/2017 12:09 PM, Lee wrote: > On 4/20/17, Gabriel <user@domain.invalid> wrote: >> Frank-Rainer Grahl wrote on 15/04/17 20:05: >>> The current "patch" is just a flipped pref which you can flip yourself in >>> about:config >>> >>> Set network.IDN_show_punycode to true. >>> Other than setting this as the default I do not know how this could be >>> fixed >>> differently by anyone. Maybe putting an icon or something in the status >>> bar. >>> Firefox will likely add another doorhanger because they got rid of the >>> status >>> bar and now clutter the location bar to make it finally unusable... >> >> I know about the manual preference change, but I think it would be better if >> the >> browser shown an alert or as you suggest a special icon near the URL; or >> just do >> as Safari and always show the "xn--". > > +1 for always show the "xn--" > > altho who hasn't already set network.IDN_show_punycode to true? People who don't know about it? Haha. Yes, this should be true by default. :( -- "I remember being fascinated by ants and wasps and other bugs when I was a kid. I'd set out a Coke can and stand back 20 feet and use my telescope to watch wasps land on it." --Paul McEuen Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly. /\___/\ Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site) / /\ /\ \ Ant's Quality Foraged Links: http://aqfl.net | |o o| | \ _ / If crediting, then use Ant nickname and AQFL URL/link. ( ) Axe ANT from its address if e-mailing privately.
![]() |
0 |
![]() |
On 4/20/2017 12:09 PM, Lee wrote: > On 4/20/17, Gabriel <user@domain.invalid> wrote: >> Frank-Rainer Grahl wrote on 15/04/17 20:05: >>> The current "patch" is just a flipped pref which you can flip yourself in >>> about:config >>> >>> Set network.IDN_show_punycode to true. >>> Other than setting this as the default I do not know how this could be >>> fixed >>> differently by anyone. Maybe putting an icon or something in the status >>> bar. >>> Firefox will likely add another doorhanger because they got rid of the >>> status >>> bar and now clutter the location bar to make it finally unusable... >> >> I know about the manual preference change, but I think it would be better if >> the >> browser shown an alert or as you suggest a special icon near the URL; or >> just do >> as Safari and always show the "xn--". > > +1 for always show the "xn--" > > altho who hasn't already set network.IDN_show_punycode to true? > > Lee > See https://bugzilla.mozilla.org/show_bug.cgi?id=1332714 for info/discussion on this problem. BTW - Windows: Microsoft Edge 40.15063.0.0 doesn't have the issue o Google Chrome Version 58.0.3029.81 fixed the issue in that browser o Google Chromium Version 60.0.3078.0 (Developer Build) (64-bit) fixed the issue in that browser o Opera 44.0.2510.1218 (PGO) still has the issue o Firefox 53.0 still has the issue I've not tested the above (minus Edge) in linux yet
![]() |
0 |
![]() |