Opened 8 months ago

Last modified 4 months ago

#21961 needs_review enhancement

should torbrowser enable network.IDN_show_punycode by default?

Reported by: cypherpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: ikurua22, mcs, brade, qbi, intrigeri, anonym Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Firefox and torbrowser do not show punycodes by default.

The attack vector is discussed here, including a demo:

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Child Tickets

Change History (12)

comment:1 Changed 8 months ago by gk

Cc: ikurua22 added

#21976 is a duplicate.

comment:2 Changed 8 months ago by cypherpunks

depending on how fast you want to address this you might also wait for the final decision in the
upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1332714

comment:3 Changed 8 months ago by arthuredelstein

Another possibility is to show a warning when a homographic domain is displayed. Showing a punycode by default has the disadvantage that it becomes unreadable for non-latin domains.

comment:4 Changed 8 months ago by mcs

Cc: mcs added

comment:5 Changed 8 months ago by mcs

Cc: brade added
Summary: shoult torbrowser enable network.IDN_show_punycode by default?should torbrowser enable network.IDN_show_punycode by default?

I wonder where this is now being discussed on the Mozilla side. Comments on the Bugzilla bug were closed after an FAQ was published (which I read), but now the FAQ is gone. See:

https://bugzilla.mozilla.org/show_bug.cgi?id=1332714#c78

comment:6 Changed 8 months ago by cypherpunks

Status: newneeds_review

Answer: No.

Everything was discussed on BMO and closed.

The discussed attack vector was phishing (sec-low). And it is the user's responsibility.

But TBB-specific attack is DNS-spoofing by the exit node. And it should gain more priority.

comment:7 Changed 8 months ago by mrphs

Priority: MediumImmediate

Bumping up the priority as our users can be potentially actively exploited with this new phishing method.

comment:8 Changed 8 months ago by mrphs

This is how google responded to the homograph attack:
https://www.chromium.org/developers/design-documents/idn-in-google-chrome

PoC and how it looks on Tor Browser => https://www.аррӏе.com/

comment:9 Changed 8 months ago by qbi

Cc: qbi added

comment:10 Changed 7 months ago by intrigeri

Cc: intrigeri anonym added

comment:11 Changed 5 months ago by cypherpunks

The fact that Chrome/Chromium has this mitigated, while Firefox has stubbornly refused to change their behavior, calling it someone else's problem, is one of the many reasons that people (rightfully) criticize Firefox and its devs for having poor security. Imagine how easy it would be for an administrator of a dissident website, or the code repository website for a critical or popular program (such as Tor?) to be compromised.

Perhaps only enable the punycode feature when not on the lowest security level? The description in the browser security slider could say "Domains with unicode may not display properly", with the mouseover text saying "Characters that can be used to create a domain that looks identical to an existing domain will be displayed differently".

I'm going to have to require all the important members of a website I own to log in exclusively using client certificates, since they will only work on the correct domain. I would much rather if I did not have to do something which has an impact on my users just because poorly-secured browsers insist on this being someone else's problem.

Note: See TracTickets for help on using tickets.