[qutebrowser] IDN spoofing
Martin Tournoij
martin at arp242.net
Wed Apr 19 17:26:30 CEST 2017
On Wed, Apr 19, 2017, at 16:08, John Lane wrote:
> Interesting article[1] on the register today about internationalised
> domain name (IDN) spoofing using Punycode[2].
>
> I think it's quite alarming that many browsers show you what looks like
> apple.com which in reality is something entirely different. That's
> something new I've learnt today!
>
> This can be configured against in Firefox about:config by setting
> "network.IDN_show_punycode=true"
I thought all of this was fixed years ago by normalizing various homographs to
their Latin variant. Guess not :-/
There are some other fixes we could do as well. If we see that punicode is
being used, we can try to do a lookup to the normalized domain name, and if it
exists, use that (possibly with a warning). That way the "Cyrillic Apple"
becomes regular ol' apple.com.
I don't know how fool-proof unicode normalisation is, though. Unicode is
pretty large, so there may be oversights?
Another, safer, way would be to improve on the Firefox setting by including a
whitelist of codepoints for common "safe" scripts, such as Arabic, Hangul,
Chinese, Kanji, and perhaps a few others. If all characters fall in that
range: show the codepoints, else show the punycode.
That particular domain from the article uses Cyrillic, so we can't add that to
the whitelist.
More information about the qutebrowser
mailing list