Where it becomes even more interesting are the places in Unicode where very similar characters exist from different languages. Languages that use characters which look similar to the normal Latin alphabet with diacritic accents, letter-like symbols and other useable homoglyphs pop up with great regularity, some seeming to be almost exact duplicates of the same symbol. Cyrillic script is a common example, possessing very close homoglyphs for a, c, e, o, p, x and y. Even the Latin alphabet appears twice in Unicode. The characters:
!"$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
are represented in both the U+0021-007E (Basic Latin) and the U+FF01-FF5E (Full width Latin) ranges of Unicode. This means changing from one encoding for a given Latin character to the other is as easy as adding the decimal value 65248 to the lower range versions. Depending on the font used mixing character families this way may cause a “Ransom Note” like visual effect because the exact vertical and horizontal spacing of the characters may vary.
While the intended purpose of IDNA is to allow for internationalized DNS labels it can also be used to make a URL or host name appear more legitimate than it really is. Because the Unicode representation may cause visual confusion for a user, it could cause trust where there should be none. For example:
http://www.microsoft.com⁄index.html.irongeek.com
may look like a legitimate Microsoft URL, but on closer inspection it redirects to a site that the author controls. This is because the third slash symbol is not really a slash symbol at all ( ⁄ U+2044). The real DNS entry is:
microsoft.xn--comindex-g03d.html.irongeek.com
More obfuscated DNS names could be created by choosing something less obvious than Irongeek.com, or by having the Punycode be in the domain name itself. How could an attacker leverage this?
Change default network.IDN_show_punycode to "true". Topic is solved
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
Walter Dnes
- Astronaut
- Posts: 652
- Joined: 2015-07-30, 20:29
- Location: Vaughan, ON, Canada
Change default network.IDN_show_punycode to "true".
There's a boolean setting in about config "network.IDN_show_punycode", that is currently set to false. If set "true", it unmasks phishing sites that use unicode Cyrillic letters that mimic Ascii letters. See https://www.wordfence.com/blog/2017/04/ ... -phishing/ and http://www.irongeek.com/i.php?page=secu ... r-phishing for a write-up on the phishing potential. Setting the value "true" should be the default, at least for "en_us" users.
There's a right way
There's a wrong way
And then there's my way
There's a wrong way
And then there's my way
Re: Change default network.IDN_show_punycode to "true".
You obviously didn't search before posting.
No, I won't set the default to "true" because anyone, also en_us locale users (which is Pale Moon's default for anyone, anyway) should be able to enter, navigate to, and see IDNs in the address bar.
In addition, we already use a blacklist for unicode characters with too much similarity to allowed domain characters.
For further info and my solution to this (entirely display-related) issue, see the other thread.
No, I won't set the default to "true" because anyone, also en_us locale users (which is Pale Moon's default for anyone, anyway) should be able to enter, navigate to, and see IDNs in the address bar.
In addition, we already use a blacklist for unicode characters with too much similarity to allowed domain characters.
For further info and my solution to this (entirely display-related) issue, see the other thread.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite