Chrome & Firefox unicode phishing test
-
Some of you might have aware with this issue and so I tried this test on three browsers: Firefox, Opera, Vivaldi.
Vivaldi stands out the three by showing real URL instead of epic.com.
Unfortunately, when I opened https://www.еріс.com/ and copy the link (right click - copy link address) from this page, it copied into my clipboard as epic.com.
-
@sandalian said:
Vivaldi stands out the three by showing real URL instead of epic.com.
Unfortunately, that means Internationalized Domain Names don't work at all. I want them to work so I'd rather use a phishing protection service to achieve this goal. (In some other use case I would probably set an option to show the IDNs as ASCII.)
-
Another solution would be a setting regarding how Unicode domain names are displayed in the URL bar.
- non-Punycode domain names would be displayed like now, unchanged ;
depending on the setting, Punycode domains would be :
- (default, security first) displayed as punycode (maybe in bold or color to indicate interactive status), showing the Unicode representation on hover/click, or
- (usability first and/or site in the whitelist if one exists) displayed as Unicode but with either a warning icon in the site badge and/or font color indicating warning (yellow ?) inviting users to hover/click on it to see the real/Punycode representation.
I wonder about this option because in many countries (especially in Asia) Unicode domain names would make sense, and punycode is not very readable ;
But I also fully agree with @Gwen-Dragon that it is also a security risk, especially in countries using latin character sets where Unicode domain names are dangerous AND useless (especially as users were taught to check for a little padlock = secure connection, but not to check the certificate or issuer). -
Perhaps Google will implement some sort of heuristic method of guessing which domain names are bad, since they are reportedly fixing the issue in Chrome.
-
At least, Vivaldi is more secured on this specific case than Chrome, and Firefox if you don't configure it.
-
Yes, the point then was to ban characters that were very unlikely to actually be used by honest web servers; now it's to decide whether a domain name that is conceivably registered with good intent is actually malicious.
-
Ppafflick moved this topic from Browsers on
