[Security] Phishing with Unicode Domains

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Daedalus007

[Security] Phishing with Unicode Domains

Unread post by Daedalus007 » 2020-11-19, 19:37

Been doing some reading online and came across this article written by a security researcher:
https://www.xudongz.com/blog/2017/idn-phishing/

The short version is that certain IDN Homograph domains (often used for phishing attacks) are not clearly communicated to the end-user.

In Pale Moon, thankfully, you can see the punycode (ugly) version of the domain if you look at the blue part of the domain certificate text visible by default in the address bar.:
https://i.imgur.com/9SLnngd.png

However, I believe that the 'blue' coloring and blue padlock should have a different coloring or some kind of indication 'this may be a homograph attack' type of thing. Even Chrome/Chromium are vulnerable to full-homograph attacks due to the support for Cyrillic and other foreign-language domains using all foreign characters.

Mozilla devs have pushed aside this issue as a 'registrar' problem rather than taking any responsibility for themselves. Chromium devs, while not perfect, have at least put in some mitigation for mixed-letter homograph attacks with a warning that comes up.

I'm not a security expert, but I feel that Pale Moon could find some solution to this issue that prioritizes security for the sake of mitigation of potential phishing attacks. A solution that improves upon that done by Chromium and far exceeds the one (not) implemented by Mozilla devs.

One potential security solution would be to check if the computer has any non-English language support installed. If so, then things remain as they are now with no changes. If not, then the entire domain is displayed exclusively in 'punycode' as an 'ugly' domain at all times in the address bar. In addition, such 'punycode' domain would not have any green/blue or padlock security indicators which would immediately put a red flag for anyone paying attention to it. I clicked this link for apple.com so why is it a completely different site without a lock?

The downside to this security solution would obviously be that OS-specific check for language support and that might be a major bugbear.
One potential mitigation to this is to have the locale/localization set within Pale Moon itself (isolated from the OS) and then use that locale call within the browser itself to make the determination. If I have Cyrillic language support on my system but change the default in Pale Moon locale to English instead, then the punycode domain would show. If I dislike this then I can change it back to Cyrillic or whatever other language I want to use as my primary language.

And again the downside to THAT solution would be those who use and know multiple languages on a regular basis. Potentially would need to add an option to 'use homograph detection via browser locale' as an option in the Pale Moon options and have it enabled by default (security first) which a multi-language user could disable at the risk of being more vulnerable to homograph phishing attacks.

Apologies if this post is too long/rambly. I have difficulty organizing my thoughts in a manner befitting a technical discussion. If this post is not suitable for this forum please feel free to delete/ignore it.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: [Security] Phishing with Unicode Domains

Unread post by Moonchild » 2020-11-19, 21:39

Phishing is effectively impossible because the solution we have is already superior and always shows the punycode version in the identity panel, making any homonym attack immediately recognizable.
Making this indication somehow "worse" by letting the IDN/punycode identity panel feature creep into the area of connection security indicators is not an acceptable suggestion -- after all, whether the domain name is an IDN or not has nothing to do with the TLS underpinnings of the connection and shouldn't influence it.
What's more, this would incorrectly classify all legitimate IDNs as being somehow "less secure" than western/latin domain names, which is not the kind of bias that is acceptable.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

vannilla
Moon Magic practitioner
Moon Magic practitioner
Posts: 2183
Joined: 2018-05-05, 13:29

Re: [Security] Phishing with Unicode Domains

Unread post by vannilla » 2020-11-19, 22:19

The blue part of the domain is there exactly for this reason.
Please don't let a good thing (non-ASCII domain names, implementations aside) go to waste because people fail to provide good UIs.

Daedalus007

Re: [Security] Phishing with Unicode Domains

Unread post by Daedalus007 » 2020-11-19, 23:03

I missed it in my initial post, but there is a workaround to this that should be enabled by default for security purposes:
Firefox users can limit their exposure by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains
.

Anyone who doesn't like this can go in and change it easily, but having this be the default for English-language distributed binaries of Pale Moon would go a long way towards significant mitigation of homonym-style phishing attacks.
At bare minimum, it is the duty of Pale Moon to notify their users of this setting via a first-time alert when running the new version as well as an alert message on the main home page on how to change this setting if they desire. People deserve the right to be aware of this potential major phishing loophole in many browsers.

Just tested stuff on Chromium and it shows punycode by default now. Pale Moon has primarily been about being better than Firefox (which doesn't do anything about this) so this is one way to do so.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35474
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: [Security] Phishing with Unicode Domains

Unread post by Moonchild » 2020-11-19, 23:19

No. The whole reason why I implemented this solution is so people DO NOT have to deal with punycode in their address bar, and so that IDNs can be used as-intended (including entering extended/accented or even cyrillic/asian characters to go to a domain) without falling into the trap of websites spoofing with homonyms on latin character domain names.
So that sledgehammer approach through the pref to basically disable the use of IDN names should most definitely not be promoted or recommended, since we have a better UI solution for it already.

See viewtopic.php?f=24&t=15583 for more details.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked