[qutebrowser] IDN spoofing

Florian Bruhin me at the-compiler.org
Thu Apr 20 21:51:04 CEST 2017


On Thu, Apr 20, 2017 at 10:27:52AM +0100, John Lane wrote:
> On 20/04/17 05:24, Florian Bruhin wrote:
> > 
> > I opened an issue here with some first thoughts:
> > https://github.com/qutebrowser/qutebrowser/issues/2547
> > 
> At a very simplistic level, what would work for me would be an option
> that I can enable that causes IDN to be highlighted somehow (perhaps
> inverse video in the status bar, perhaps alternating the two
> representations?).
> Personally, I can read the Roman alphabet, accented or not, whether it
> be English, German or whatever (I may not understand the language I am
> reading though, but I can interpret the characters I see). I can't read
> chinese, cryllic, arabic or any other non-latin script. So, for me, an
> option to highlight non-latin IDN URLs would be a start because I would
> have no interest in following such links.
> I realise that won't be a solution for many people but I guess it would
> cover the majority of the people who would be the target of such a
> spoofing scheme (i.e. those who primarily use the latin alphabet / ascii
> character set).
> I don't know how this stuff works so I'll butt out now, glad to see it's
> being tracked as an issue on Github.

You mean in the status bar, where the current URL is shown? I had
considered that, but I'm not sure it's obvious enough. If you don't
know, is a, say, grey "apple.com" different from a green one?

My current stance on this, by the way, is showing the Punycode
representation in addition to the "normal" one for any non-ascii URL:


https://www.qutebrowser.org  | me at the-compiler.org (Mail/XMPP)
   GPG: 916E B0C8 FD55 A072  | https://the-compiler.org/pubkey.asc
         I love long mails!  | https://email.is-not-s.ms/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.schokokeks.org/pipermail/qutebrowser/attachments/20170420/a7b3dad6/attachment.asc>

More information about the qutebrowser mailing list