Discussion in 'other security issues & news' started by Minimalist, Feb 22, 2018.
Same here. Changes to red.
Well they did add an option in about:config ( network.IDN_show_punycode ) to address this problem, they just didn't enable it by default. So most users are most likely not protected.
Opera did a security patch for this last year apparently
Not to mention, that a vulnerability might disable it in order to deceive users, I wonder, if the extension would still reveal the fake address or if it simply uses Chrome's settings?
I enabled this. So do I need IDN Safe anymore?
I am in the same boat. I have the about:config network.IDN_show_punycode set as true and that seems to prevent accessing any dubious pages. I have also recently added IDN Safe but feel that it is probably redundant. The only difference is that with IDN Safe clicking on a link nothing happens apart from the red icon, whereas without the extension Firefox loads a "Server not found" message showing the URL
As far as I understand, IDN safe blocks access to those domains. Firefox setting OTOH only prevents domain obfuscation.
IDN Safe Firefox version just updated on my machine.
Edit: Chrome version too.
Not Opera though, but I guess if it works, there is nothing to update, some of my extensions have not been updated for years.
But I should have read the description to answer my own question, this extension is usefull. It blocks IDN domains, browser only displays the correct URL, if that setting is not disabled.
IDN Safe 1.4 already works with lastest Vivaldi 1.14.1077.55...
Since nobody mentioned, I say: punycode is not a realistic phishing pathway if you follow the best practice (and you should!).
i.e. Always check the corporate name shown in next to TLS lock icon as long as your site uses EV or CV certificate. If your site doesn't use them, you can still dig through certificate to see registered domain name but that shouldn't be important sites for you.
On mobile browser which won't directly show corporate name, it's a problem. Another problem is some sites use EV in problematic way, using it on so called shared TLS sites which is meaningless...but again that shouldn't be important site.
Anyway, never rely solely on displayed domain name! IIRC in the past there's other UI vulnerability.
Guys/Gals, sorry if this had already been posted. I haven't been following this thread but I did do several searches and couldn't find it.
Phish.AI IDN Protect
Supposedly a new Chrome extension specifically for IDN / Unicode phishing.
I've had an IDN extension for Firefox for a couple of weeks
I envy you guys who devoted months to years dedication in browser protections, catching reports via news or thru the forum exchanges of issues and solutions. This is been a sore weakness which simply I couldn't piece together enough study to firebrand my own browser(s) but you all in your ongoing endless discussions have left trail of great information i'm only now just starting to catch on by bits and pieces.
My personal thanks to you all who know what to look for, what works best for which browser and the setting elements and configs you do best at sealing as many loopholes in them as can be found.
You guys are masters at this.
Chrome Extension Detects URL Homograph (Unicode) Attacks
March 26, 2018
Registry to ban Cyrillic .eu addresses even if you've paid for them
June 29, 2018
Chrome to Display Warnings About Similar or Lookalike URLs
February 3, 2019
Separate names with a comma.