IDN and Pale Moon: know your browser.

Frequently Asked Questions about the Pale Moon browser and their answers.

Moderator: satrow

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 22159
Joined: Sun, 28 Aug 2011, 17:27
Location: 58.5°N 15.5°E
Contact:

IDN and Pale Moon: know your browser.

Unread postby Moonchild » Fri, 28 Apr 2017, 20:43

Since there has been a lot of buzz lately about the age-old issue with IDNs (international-character domain names) spoofing well-known domains, people seem to be confused about what Pale Moon does to mitigate this. In short it comes down to knowing your browser and paying attention to what the browser indicates.

The address bar has a dedicated area where site identity information is displayed (the identity panel):
IDpanel.png
IDpanel.png (5.09 KiB) Viewed 4552 times

For normal (http) sites, this panel normally only displays the site's icon, and will blend in with the rest of the address bar.
For https sites, this panel is either blue or green, and displays the secure domain or the domain's verified owner, respectively.
blue.png
blue.png (1.94 KiB) Viewed 4552 times
green.png
green.png (1.87 KiB) Viewed 4552 times


If you are visiting a phishing site using an IDN to try and spoof the original domain, this identity panel, since 27.3.0, will clearly display the "raw" code of the IDN (also called "punycode", a domain starting with "xn--") instead of what the site is trying to spoof:
spoofed-epic.png
spoofed-epic.png (2.77 KiB) Viewed 4552 times


So, before you enter any login details, always, ALWAYS check the identity panel to see if the site is secure (padlock shown) and displaying the domain or owner you expect.
If you want more details, you can also click on the padlock.

For people who also want to have http sites (white) display the punycode if an IDN is visited, that is possible by going into about:config, and setting browser.identity.display_punycode to a value of 2. This is not the default, because http is used for display of public information, and phishing from an http site immediately falls short by not showing a secure connection. As such, doing this for http sites by default would in most cases simply be unnecessary to include, and annoying for anyone regularly visiting international-address websites.

I've chosen to approach the problem this way, because it will still allow you to enter international character domain names, while giving you the tools to verify that your visit is to the server you expect.
Improving Mozilla code: You know you're on the right track with code changes when you spend the majority of your time deleting code.

"If you want to build a better world for yourself, you have to be willing to build one for everybody." -- Coyote Osborne

joe04
Lunatic
Lunatic
Posts: 259
Joined: Mon, 28 Sep 2015, 16:38
Location: US
Contact:

Re: IDN and Pale Moon: know your browser.

Unread postby joe04 » Sat, 29 Apr 2017, 03:47

Thanks for adding this, Moonchild. Pale Moon already had the best address bar, and now it's that much better.

FYI -- here's the link for the fake "epic.com" demo page in the above screenshot:
https://www.еріс.com/

User avatar
back2themoon
Board Warrior
Board Warrior
Posts: 1198
Joined: Sun, 19 Aug 2012, 20:32

Re: IDN and Pale Moon: know your browser.

Unread postby back2themoon » Sat, 29 Apr 2017, 16:25

Good info and update, thanks.
Safe Mode / clean profile info: Help/Restart in Safe Mode
Information to include when asking for support - How to apply user agent overrides

Windows 10 Pro - Pale Moon x64 - FossaMail x64 - Emsisoft Anti-Malware

User avatar
khronosschoty
Hobby Astronomer
Hobby Astronomer
Posts: 21
Joined: Wed, 23 Nov 2016, 10:37

Re: IDN and Pale Moon: know your browser.

Unread postby khronosschoty » Sat, 29 Apr 2017, 18:52

Nice update; thank you.
Image


Return to “Frequently Asked Questions (F.A.Q.)”

Who is online

Users browsing this forum: No registered users and 0 guests