Opened 2 years ago

Last modified 7 months ago

#21961 needs_review enhancement

should torbrowser enable network.IDN_show_punycode by default?

Reported by: cypherpunks Owned by: tbb-team
Priority: Immediate Milestone:
Component: Applications/Tor Browser Version:
Severity: Major Keywords:
Cc: ikurua22, mcs, brade, qbi, intrigeri, anonym, arthuredelstein, floweb Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Firefox and torbrowser do not show punycodes by default.

The attack vector is discussed here, including a demo:

Child Tickets

Change History (17)

comment:1 Changed 2 years ago by gk

Cc: ikurua22 added

#21976 is a duplicate.

comment:2 Changed 2 years ago by cypherpunks

depending on how fast you want to address this you might also wait for the final decision in the
upstream ticket:

comment:3 Changed 2 years ago by arthuredelstein

Another possibility is to show a warning when a homographic domain is displayed. Showing a punycode by default has the disadvantage that it becomes unreadable for non-latin domains.

comment:4 Changed 2 years ago by mcs

Cc: mcs added

comment:5 Changed 2 years ago by mcs

Cc: brade added
Summary: shoult torbrowser enable network.IDN_show_punycode by default?should torbrowser enable network.IDN_show_punycode by default?

I wonder where this is now being discussed on the Mozilla side. Comments on the Bugzilla bug were closed after an FAQ was published (which I read), but now the FAQ is gone. See:

comment:6 Changed 2 years ago by cypherpunks

Status: newneeds_review

Answer: No.

Everything was discussed on BMO and closed.

The discussed attack vector was phishing (sec-low). And it is the user's responsibility.

But TBB-specific attack is DNS-spoofing by the exit node. And it should gain more priority.

comment:7 Changed 2 years ago by mrphs

Priority: MediumImmediate

Bumping up the priority as our users can be potentially actively exploited with this new phishing method.

comment:8 Changed 2 years ago by mrphs

This is how google responded to the homograph attack:

PoC and how it looks on Tor Browser => https://www.аррӏе.com/

comment:9 Changed 2 years ago by qbi

Cc: qbi added

comment:10 Changed 2 years ago by intrigeri

Cc: intrigeri anonym added

comment:11 Changed 2 years ago by cypherpunks

The fact that Chrome/Chromium has this mitigated, while Firefox has stubbornly refused to change their behavior, calling it someone else's problem, is one of the many reasons that people (rightfully) criticize Firefox and its devs for having poor security. Imagine how easy it would be for an administrator of a dissident website, or the code repository website for a critical or popular program (such as Tor?) to be compromised.

Perhaps only enable the punycode feature when not on the lowest security level? The description in the browser security slider could say "Domains with unicode may not display properly", with the mouseover text saying "Characters that can be used to create a domain that looks identical to an existing domain will be displayed differently".

I'm going to have to require all the important members of a website I own to log in exclusively using client certificates, since they will only work on the correct domain. I would much rather if I did not have to do something which has an impact on my users just because poorly-secured browsers insist on this being someone else's problem.

comment:13 Changed 20 months ago by y2875095

TBB should prevent phishing.

Browsers should format address bar like: (displayed as:

comment:14 Changed 20 months ago by y2875095

Severity: NormalMajor

comment:15 Changed 19 months ago by arthuredelstein

Cc: arthuredelstein added

comment:16 Changed 12 months ago by gk

Cc: floweb added

#27887 is a duplicate.

comment:17 Changed 7 months ago by cypherpunks

network.IDN_show_punycode should be on when security level is set to safest.

why not implement this first then think about the default?

Note: See TracTickets for help on using tickets.