[Security] Phishing with Unicode Domains

Talk about code development, features, specific bugzilla bugs, enhancements, patches, and other highly technical things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific referenced Bugzilla bugs, mercurial, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Most "bug reports" do not belong in this board and should initially be posted in Community Support or other relevant support boards.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Post Reply
User avatar
Daedalus007
New to the forum
New to the forum
Posts: 2
Joined: 2020-11-19, 18:48

[Security] Phishing with Unicode Domains

Post by Daedalus007 » 2020-11-19, 19:37

Been doing some reading online and came across this article written by a security researcher:
https://www.xudongz.com/blog/2017/idn-phishing/

The short version is that certain IDN Homograph domains (often used for phishing attacks) are not clearly communicated to the end-user.

In Pale Moon, thankfully, you can see the punycode (ugly) version of the domain if you look at the blue part of the domain certificate text visible by default in the address bar.:
https://i.imgur.com/9SLnngd.png

However, I believe that the 'blue' coloring and blue padlock should have a different coloring or some kind of indication 'this may be a homograph attack' type of thing. Even Chrome/Chromium are vulnerable to full-homograph attacks due to the support for Cyrillic and other foreign-language domains using all foreign characters.

Mozilla devs have pushed aside this issue as a 'registrar' problem rather than taking any responsibility for themselves. Chromium devs, while not perfect, have at least put in some mitigation for mixed-letter homograph attacks with a warning that comes up.

I'm not a security expert, but I feel that Pale Moon could find some solution to this issue that prioritizes security for the sake of mitigation of potential phishing attacks. A solution that improves upon that done by Chromium and far exceeds the one (not) implemented by Mozilla devs.

One potential security solution would be to check if the computer has any non-English language support installed. If so, then things remain as they are now with no changes. If not, then the entire domain is displayed exclusively in 'punycode' as an 'ugly' domain at all times in the address bar. In addition, such 'punycode' domain would not have any green/blue or padlock security indicators which would immediately put a red flag for anyone paying attention to it. I clicked this link for apple.com so why is it a completely different site without a lock?

The downside to this security solution would obviously be that OS-specific check for language support and that might be a major bugbear.
One potential mitigation to this is to have the locale/localization set within Pale Moon itself (isolated from the OS) and then use that locale call within the browser itself to make the determination. If I have Cyrillic language support on my system but change the default in Pale Moon locale to English instead, then the punycode domain would show. If I dislike this then I can change it back to Cyrillic or whatever other language I want to use as my primary language.

And again the downside to THAT solution would be those who use and know multiple languages on a regular basis. Potentially would need to add an option to 'use homograph detection via browser locale' as an option in the Pale Moon options and have it enabled by default (security first) which a multi-language user could disable at the risk of being more vulnerable to homograph phishing attacks.

Apologies if this post is too long/rambly. I have difficulty organizing my thoughts in a manner befitting a technical discussion. If this post is not suitable for this forum please feel free to delete/ignore it.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28495
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: [Security] Phishing with Unicode Domains

Post by Moonchild » 2020-11-19, 21:39

Phishing is effectively impossible because the solution we have is already superior and always shows the punycode version in the identity panel, making any homonym attack immediately recognizable.
Making this indication somehow "worse" by letting the IDN/punycode identity panel feature creep into the area of connection security indicators is not an acceptable suggestion -- after all, whether the domain name is an IDN or not has nothing to do with the TLS underpinnings of the connection and shouldn't influence it.
What's more, this would incorrectly classify all legitimate IDNs as being somehow "less secure" than western/latin domain names, which is not the kind of bias that is acceptable.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

vannilla
Board Warrior
Board Warrior
Posts: 1274
Joined: 2018-05-05, 13:29

Re: [Security] Phishing with Unicode Domains

Post by vannilla » 2020-11-19, 22:19

The blue part of the domain is there exactly for this reason.
Please don't let a good thing (non-ASCII domain names, implementations aside) go to waste because people fail to provide good UIs.

User avatar
Daedalus007
New to the forum
New to the forum
Posts: 2
Joined: 2020-11-19, 18:48

Re: [Security] Phishing with Unicode Domains

Post by Daedalus007 » 2020-11-19, 23:03

I missed it in my initial post, but there is a workaround to this that should be enabled by default for security purposes:
Firefox users can limit their exposure by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains
.

Anyone who doesn't like this can go in and change it easily, but having this be the default for English-language distributed binaries of Pale Moon would go a long way towards significant mitigation of homonym-style phishing attacks.
At bare minimum, it is the duty of Pale Moon to notify their users of this setting via a first-time alert when running the new version as well as an alert message on the main home page on how to change this setting if they desire. People deserve the right to be aware of this potential major phishing loophole in many browsers.

Just tested stuff on Chromium and it shows punycode by default now. Pale Moon has primarily been about being better than Firefox (which doesn't do anything about this) so this is one way to do so.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 28495
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: [Security] Phishing with Unicode Domains

Post by Moonchild » 2020-11-19, 23:19

No. The whole reason why I implemented this solution is so people DO NOT have to deal with punycode in their address bar, and so that IDNs can be used as-intended (including entering extended/accented or even cyrillic/asian characters to go to a domain) without falling into the trap of websites spoofing with homonyms on latin character domain names.
So that sledgehammer approach through the pref to basically disable the use of IDN names should most definitely not be promoted or recommended, since we have a better UI solution for it already.

See viewtopic.php?f=24&t=15583 for more details.
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss
Image

Post Reply