URL with punycode = easy phishing

Hello,

does someone know if/when SeaMonkey and Firefox will get a patch to show the 
real URL when using punycode? Just as in Safari :-)

Check this: https://www.еріс.com/
it's "https://xn--e1awd7f.com/"

Explanation:
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/


0
Gabriel
4/15/2017 5:54:09 PM
mozilla.support.seamonkey 12418 articles. 0 followers. Post Follow

8 Replies
260 Views

Similar Articles

[PageSpeed] 56

The current "patch" is just a flipped pref which you can flip yourself in 
about:config

Set network.IDN_show_punycode to true.
Other than setting this as the default I do not know how this could be fixed 
differently by anyone. Maybe putting an icon or something in the status bar. 
Firefox will likely add another doorhanger because they got rid of the status 
bar and now clutter the location bar to make it finally unusable...
FRG

Gabriel wrote:
> Hello,
> 
> does someone know if/when SeaMonkey and Firefox will get a patch to show the 
> real URL when using punycode? Just as in Safari :-)
> 
> Check this: https://www.еріс.com/
> it's "https://xn--e1awd7f.com/"
> 
> Explanation:
> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
> 
> 

0
Frank
4/15/2017 6:05:57 PM
Should we: Set network.IDN_show_punycode to true.
with our SeaMonkey program 2.46
or should we wait until a new version of SM change this value or do 
differently ?


Frank-Rainer Grahl wrote on 15-04-17 20:05:
> The current "patch" is just a flipped pref which you can flip yourself 
> in about:config
>
> Set network.IDN_show_punycode to true.
> Other than setting this as the default I do not know how this could be 
> fixed differently by anyone. Maybe putting an icon or something in the 
> status bar. Firefox will likely add another doorhanger because they 
> got rid of the status bar and now clutter the location bar to make it 
> finally unusable...
> FRG
>
> Gabriel wrote:
>> Hello,
>>
>> does someone know if/when SeaMonkey and Firefox will get a patch to 
>> show the real URL when using punycode? Just as in Safari :-)
>>
>> Check this: https://www.еріс.com/
>> it's "https://xn--e1awd7f.com/"
>>
>> Explanation:
>> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
>>
>>
>

0
Ray_Net
4/15/2017 8:50:44 PM
I am no expert here but I can't how this can be fixed other than turning it on 
or showing a visible indicator that the domain name contains punycode aka is 
an internationalized domain name.
I turned it on in my local builds and asked for opinions from the other 
SeaMonkey devs. My recommendation will be to turn it on for the upcoming 2.48 
and then 2.49 ESR. Nothing new here and I have seen some phishing domains 
before using this but now every wannabe phishing idiot will try to get you 
with it.

FRG

Ray_Net wrote:
> Should we: Set network.IDN_show_punycode to true.
> with our SeaMonkey program 2.46
> or should we wait until a new version of SM change this value or do differently ?
> 
> 
> Frank-Rainer Grahl wrote on 15-04-17 20:05:
>> The current "patch" is just a flipped pref which you can flip yourself in 
>> about:config
>>
>> Set network.IDN_show_punycode to true.
>> Other than setting this as the default I do not know how this could be fixed 
>> differently by anyone. Maybe putting an icon or something in the status bar. 
>> Firefox will likely add another doorhanger because they got rid of the 
>> status bar and now clutter the location bar to make it finally unusable...
>> FRG
>>
>> Gabriel wrote:
>>> Hello,
>>>
>>> does someone know if/when SeaMonkey and Firefox will get a patch to show 
>>> the real URL when using punycode? Just as in Safari :-)
>>>
>>> Check this: https://www.еріс.com/
>>> it's "https://xn--e1awd7f.com/"
>>>
>>> Explanation:
>>> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
>>>
>>>
>>
> 

0
Frank
4/15/2017 9:46:11 PM
Changing the encoding to "Western" or "Central European" makes it clear
something wierd is going on too.

(Sorry, I think the last response went by email.)

Frank-Rainer Grahl wrote:
> I am no expert here but I can't how this can be fixed other than turning it on 
> or showing a visible indicator that the domain name contains punycode aka is 
> an internationalized domain name.
> I turned it on in my local builds and asked for opinions from the other 
> SeaMonkey devs. My recommendation will be to turn it on for the upcoming 2.48 
> and then 2.49 ESR. Nothing new here and I have seen some phishing domains 
> before using this but now every wannabe phishing idiot will try to get you 
> with it.
> 
> FRG
> 
> Ray_Net wrote:
>> Should we: Set network.IDN_show_punycode to true.
>> with our SeaMonkey program 2.46
>> or should we wait until a new version of SM change this value or do differently ?
>>
>>
>> Frank-Rainer Grahl wrote on 15-04-17 20:05:
>>> The current "patch" is just a flipped pref which you can flip yourself in 
>>> about:config
>>>
>>> Set network.IDN_show_punycode to true.
>>> Other than setting this as the default I do not know how this could be fixed 
>>> differently by anyone. Maybe putting an icon or something in the status bar. 
>>> Firefox will likely add another doorhanger because they got rid of the 
>>> status bar and now clutter the location bar to make it finally unusable...
>>> FRG
>>>
>>> Gabriel wrote:
>>>> Hello,
>>>>
>>>> does someone know if/when SeaMonkey and Firefox will get a patch to show 
>>>> the real URL when using punycode? Just as in Safari :-)
>>>>
>>>> Check this: https://www.еріс.com/
>>>> it's "https://xn--e1awd7f.com/"
>>>>
>>>> Explanation:
>>>> https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
>>>>
>>>>
>>>
>>
> 



0
Richmond
4/16/2017 9:26:38 AM
Frank-Rainer Grahl wrote on 15/04/17 20:05:
> The current "patch" is just a flipped pref which you can flip yourself in
> about:config
>
> Set network.IDN_show_punycode to true.
> Other than setting this as the default I do not know how this could be fixed
> differently by anyone. Maybe putting an icon or something in the status bar.
> Firefox will likely add another doorhanger because they got rid of the status
> bar and now clutter the location bar to make it finally unusable...

I know about the manual preference change, but I think it would be better if the 
browser shown an alert or as you suggest a special icon near the URL; or just do 
as Safari and always show the "xn--".
0
Gabriel
4/20/2017 6:30:57 PM
On 4/20/17, Gabriel <user@domain.invalid> wrote:
> Frank-Rainer Grahl wrote on 15/04/17 20:05:
>> The current "patch" is just a flipped pref which you can flip yourself in
>> about:config
>>
>> Set network.IDN_show_punycode to true.
>> Other than setting this as the default I do not know how this could be
>> fixed
>> differently by anyone. Maybe putting an icon or something in the status
>> bar.
>> Firefox will likely add another doorhanger because they got rid of the
>> status
>> bar and now clutter the location bar to make it finally unusable...
>
> I know about the manual preference change, but I think it would be better if
> the
> browser shown an alert or as you suggest a special icon near the URL; or
> just do
> as Safari and always show the "xn--".

+1 for always show the "xn--"

altho who hasn't already set network.IDN_show_punycode to true?

Lee
0
Lee
4/20/2017 7:09:10 PM
On 4/20/2017 12:09 PM, Lee wrote:
> On 4/20/17, Gabriel <user@domain.invalid> wrote:
>> Frank-Rainer Grahl wrote on 15/04/17 20:05:
>>> The current "patch" is just a flipped pref which you can flip yourself in
>>> about:config
>>>
>>> Set network.IDN_show_punycode to true.
>>> Other than setting this as the default I do not know how this could be
>>> fixed
>>> differently by anyone. Maybe putting an icon or something in the status
>>> bar.
>>> Firefox will likely add another doorhanger because they got rid of the
>>> status
>>> bar and now clutter the location bar to make it finally unusable...
>>
>> I know about the manual preference change, but I think it would be better if
>> the
>> browser shown an alert or as you suggest a special icon near the URL; or
>> just do
>> as Safari and always show the "xn--".
>
> +1 for always show the "xn--"
>
> altho who hasn't already set network.IDN_show_punycode to true?

People who don't know about it? Haha. Yes, this should be true by 
default. :(
-- 
"I remember being fascinated by ants and wasps and other bugs when I was 
a kid. I'd set out a Coke can and stand back 20 feet and use my 
telescope to watch wasps land on it." --Paul McEuen
Note: A fixed width font (Courier, Monospace, etc.) is required to see 
this signature correctly.
    /\___/\         Ant(Dude) @ http://antfarm.ma.cx (Personal Web Site)
   / /\ /\ \                Ant's Quality Foraged Links: http://aqfl.net
  | |o   o| |
     \ _ /        If crediting, then use Ant nickname and AQFL URL/link.
      ( )               Axe ANT from its address if e-mailing privately.
0
Ant
4/21/2017 6:34:05 AM
On 4/20/2017 12:09 PM, Lee wrote:
> On 4/20/17, Gabriel <user@domain.invalid> wrote:
>> Frank-Rainer Grahl wrote on 15/04/17 20:05:
>>> The current "patch" is just a flipped pref which you can flip yourself in
>>> about:config
>>>
>>> Set network.IDN_show_punycode to true.
>>> Other than setting this as the default I do not know how this could be
>>> fixed
>>> differently by anyone. Maybe putting an icon or something in the status
>>> bar.
>>> Firefox will likely add another doorhanger because they got rid of the
>>> status
>>> bar and now clutter the location bar to make it finally unusable...
>>
>> I know about the manual preference change, but I think it would be better if
>> the
>> browser shown an alert or as you suggest a special icon near the URL; or
>> just do
>> as Safari and always show the "xn--".
> 
> +1 for always show the "xn--"
> 
> altho who hasn't already set network.IDN_show_punycode to true?
> 
> Lee
> 

See https://bugzilla.mozilla.org/show_bug.cgi?id=1332714 for
info/discussion on this problem.

BTW - Windows:
Microsoft Edge 40.15063.0.0 doesn't have the issue
o Google Chrome Version 58.0.3029.81 fixed the issue in that browser
o Google Chromium Version 60.0.3078.0 (Developer Build) (64-bit) fixed
the issue in that browser
o Opera 44.0.2510.1218 (PGO) still has the issue
o Firefox 53.0 still has the issue

I've not tested the above (minus Edge) in linux yet
0
NoOp
4/21/2017 5:22:10 PM
Reply: