[qutebrowser] IDN spoofing

Martin Tournoij martin at arp242.net
Wed Apr 19 17:26:30 CEST 2017


On Wed, Apr 19, 2017, at 16:08, John Lane wrote:
> Interesting article[1] on the register today about internationalised
> domain name (IDN) spoofing using Punycode[2].
> 
> I think it's quite alarming that many browsers show you what looks like
> apple.com which in reality is something entirely different. That's
> something new I've learnt today!
> 
> This can be configured against in Firefox about:config by setting
> "network.IDN_show_punycode=true"

I thought all of this was fixed years ago by normalizing various homographs to
their Latin variant. Guess not :-/

There are some other fixes we could do as well. If we see that punicode is
being used, we can try to do a lookup to the normalized domain name, and if it
exists, use that (possibly with a warning). That way the "Cyrillic Apple"
becomes regular ol' apple.com.

I don't know how fool-proof unicode normalisation is, though. Unicode is
pretty large, so there may be oversights?

Another, safer, way would be to improve on the Firefox setting by including a
whitelist of codepoints for common "safe" scripts, such as Arabic, Hangul,
Chinese, Kanji, and perhaps a few others. If all characters fall in that
range: show the codepoints, else show the punycode.
That particular domain from the article uses Cyrillic, so we can't add that to
the whitelist.


More information about the qutebrowser mailing list