You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Mozilla has wontfixed this in https://bugzilla.mozilla.org/show_bug.cgi?id=1332714 which is idealistically correct but not practical. On the other hand, it's not at all clear how many phony domains can actually be generated in this fashion; the number appears to be small.
The new display algorithm was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=722299 . A first approximation might be to implement a blacklist, and put some well-known TLDs that have high value for spoofing in it (probably com net org edu gov). This is not as targetted as the Chrome solution and would affect many more domains, but would also deal with the whole-script homograph problem more definitively and be better than wholesale displaying punycode in all circumstances as some have recommended. This could be hacked into network/dns/nsIDNService.cpp::ConvertToDisplayIDN.
No approach here looks like it won't disadvantage non-Latin scripts, unfortunately.
The text was updated successfully, but these errors were encountered:
https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/
https://www.аррӏе.com/ -> xn--80ak6aa92e.com
Mozilla has wontfixed this in https://bugzilla.mozilla.org/show_bug.cgi?id=1332714 which is idealistically correct but not practical. On the other hand, it's not at all clear how many phony domains can actually be generated in this fashion; the number appears to be small.
The new display algorithm was implemented in https://bugzilla.mozilla.org/show_bug.cgi?id=722299 . A first approximation might be to implement a blacklist, and put some well-known TLDs that have high value for spoofing in it (probably com net org edu gov). This is not as targetted as the Chrome solution and would affect many more domains, but would also deal with the whole-script homograph problem more definitively and be better than wholesale displaying punycode in all circumstances as some have recommended. This could be hacked into
network/dns/nsIDNService.cpp::ConvertToDisplayIDN
.No approach here looks like it won't disadvantage non-Latin scripts, unfortunately.
The text was updated successfully, but these errors were encountered: