Chrome & Firefox unicode phishing test

  • Some of you might have aware with this issue and so I tried this test on three browsers: Firefox, Opera, Vivaldi.

    alt text

    Vivaldi stands out the three by showing real URL instead of

    Unfortunately, when I opened https://www.еріс.com/ and copy the link (right click - copy link address) from this page, it copied into my clipboard as

  • @sandalian said:

    Vivaldi stands out the three by showing real URL instead of

    Unfortunately, that means Internationalized Domain Names don't work at all. I want them to work so I'd rather use a phishing protection service to achieve this goal. (In some other use case I would probably set an option to show the IDNs as ASCII.)

  • Moderator

    Currently there is no list of safe list of IDN domains in Vivaldi.
    Until Vivaldi cant get such list, it will stay with Punycode in such Domains and TLDs.
    But it is on the ToDo list to allow some domains in future.

  • Moderator

    Better having Punycode-only than fraudulent SSLized websites!

  • @sandalian
    Thanks for the reminder for that. 😄
    I don't even remember that I read years ago.

    I find some things.

    • Copy link & paste to text editor GVim paste bogus (unicode?) address. It easy to notice the difference with GVim, as "e", "p", and "c" from the address shown as double cursor.
    • On link hover, Vivaldi show real bogus address.
    • One of my extension Redirect Bypasser also detect bogus address.
      False alarm. Firefox version didn't detect it without the tweak mentioned.

  • Another solution would be a setting regarding how Unicode domain names are displayed in the URL bar.

    • non-Punycode domain names would be displayed like now, unchanged ;

    depending on the setting, Punycode domains would be :

    • (default, security first) displayed as punycode (maybe in bold or color to indicate interactive status), showing the Unicode representation on hover/click, or
    • (usability first and/or site in the whitelist if one exists) displayed as Unicode but with either a warning icon in the site badge and/or font color indicating warning (yellow ?) inviting users to hover/click on it to see the real/Punycode representation.

    I wonder about this option because in many countries (especially in Asia) Unicode domain names would make sense, and punycode is not very readable ;
    But I also fully agree with @Gwen-Dragon that it is also a security risk, especially in countries using latin character sets where Unicode domain names are dangerous AND useless (especially as users were taught to check for a little padlock = secure connection, but not to check the certificate or issuer).

  • Perhaps Google will implement some sort of heuristic method of guessing which domain names are bad, since they are reportedly fixing the issue in Chrome.

  • At least, Vivaldi is more secured on this specific case than Chrome, and Firefox if you don't configure it.

  • Moderator

    @kumiponi Those detection heuristics existed in some browsers after the Homograph Attack in 2001 was found, but these heuristics were broken.

  • Yes, the point then was to ban characters that were very unlikely to actually be used by honest web servers; now it's to decide whether a domain name that is conceivably registered with good intent is actually malicious.


Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.