New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Urls with special characters (like ÆØÅ) don't become clickable links with preview #4810
Comments
Thanks for reporting. I'm not sure what we should do here. We have some code that ensures that all character's in a URL's path are valid characters based on the URI standard. Both Firefox and Chrome copy the URL like this:
All of these characters are valid, so we show a link preview. But Reddit's "Copy Link" behavior copies it with those invalid characters. To fix this, our options are:
Not sure what to do here, but I've filed this as a bug. We'll think about it. |
I just stumbled over the same issue here with a Am*zon URL containing a german umlaut ( 'ä' ) in the URL. I swear, i directly copy & pasted the URL from Firefox stable into Signal. After @EvanHahn-Signal comment, I tried to reproduce: But now the URL got quoted correctly. It seems Firefox only quotes the URL if you copy the complete URL. If you (like me), only select parts of the URL (like up to the /dp/xxxxxxx, part) Firefox no longer quotes preceding special characters of the partial URL. |
@bentolor that is an interesting find so I tried it myself and here's what I found: All of these tests were performed on macOS Catalina 10.15.7 Safari (14.0.3)
Firefox (85.0.2)
Chrome (88.0.4324.150)
So it seems that Safari is the only browser of the three that doesn't encode the url when copying 🤔 |
On windows 10,
Chrome (91.0)
Opera (76.0)
Edge (91.0)
|
@EvanHahn-Signal , is there a reason to enforce pure URI standards while most messengers apps, broswers, and major websites supports UTF-8 urls? |
Also wondering this. Most modern messaging apps and browsers support UTF-8 URLs and also Signal mobile app works correctly with these. Why is the strict URI standard enforced only on Signal desktop when UTF-8 URLs work basically everywhere else? |
Any update regarding this, by the way? It's still present in 6.x versions. |
@habi I would argue, that in your case of the domain name this is a good thing and should be kept by design to mitigate https://en.wikipedia.org/wiki/IDN_homograph_attack On another note: What is |
@bentolor the way to stop IDN homograph attacks is with Punycode, not by blocking support for all non-ascii characters in urls. also stop being obnoxious about |
@nehemiagurl Please refrain from your toxic behaviour. |
@bentolor the one shaming people unnecessarily and dismissing their concerns is you. |
Dear @nehemiagurl
|
In the iOS repository, these issues about IDN already exist:
signalapp/Signal-iOS#5543 links to signalapp/libsignal#511, which is related to #5237 which is closed as a duplicate of this issue here. |
You know, there are people with an Umlaut in their name, which would actually profit from having their personal URL linked in a software they like to use. iMessage links my URL, Threema does, Element does. I cannot test WhatsApp, as I don't have an account with them anymore. |
I tried to 'minimize' the issue and copy-pasted several versions of my URL. |
I know: I guess quite everybody in this issue is here, because they wanted to share a URL containing some innocent, local characters like Umlaut. My point is: I think there is a significant difference in the security impact of deploying a homoglyph attack as part of the URL path vs. the domain name.
I'm not sure that "the others do" is a good reasoning. I think in the case of the domain names, it's really a trade off between security and "least suprise of the user". Are we on the same page, that rendering homoglyphs in domain names imposes a significant security thread for the users? As an Signal user: How would you be able to understand that the message from you colleague (whose phone has been stolen) asking you to change your password on https://account.mᎥcrosoft.com/ instead of https://account.microsoft.com/ is a fraud? |
Reading through the linked issues: The general gist here is that currently the behavior is confusing, as some special characters do get linkified on some platforms, others don't. Ok: That's definitely confusing and not helpful. Signal should decide and take forward either one of both ways: Rendering IDNs or not rendering them at all. |
if the person you're chatting with is an adversary trying to phish you via Signal, you've got bigger problems on your hand. protecting from homograph attacks is the job of the browser - just like Signal can't protect you from sending incriminating messages without massively degrading the app (and even then a more sophisticated adversary can go around that anyway), Signal can't protect you from accepting a message request from someone who's phishing you. even if they say "screw you" to anyone who uses the internet outside of the Anglosphere and block IDNs from rendering, a phisher can always just send the link in a separate message and wait for the victim to copy-paste it in their browser.
they will see that the second link isn't clickable and immediately understand they're being phished? most browsers implement Punycode conversion by default, as well as some other protections, and that's excellent, because that's the way to actually combat this. but you won't see browsers blocking IDNs altogether, and neither should Signal. |
Thank you, @habi and @nehemiagurl ! As I mentioned: It's a tradeoff. Now I see the merits in of both point of views and would be ok with both approaches, as long as the behaviour is consistent across Signal platforms and applications. |
Please refer to https://davidhaberthŭr.ch/ for details!
Depending how you share this link in an iMessage, this is the result
- no preview (simple copy-paste)
- copy-pasted with Punycode (share from email text)
- Error message in preview (deliberately opened attack link in Safari, shared to iMessage)
![image](https://github.com/signalapp/Signal-Desktop/assets/1651235/05e37987-86fc-4469-9db3-ab8ac344aa03)
|
Exactly! We don't forbid the sale of all knifes and all alcohol just because it can potentially enable criminal activity. Besides, people still fall into scams even if url is nothing like the original. How about convert to punycode automatically on paste or on send? |
Bug Description
When pasting a url (e.g.
https://www.reddit.com/r/Denmark/comments/kwc0jz/æble_eller_pære/
) the url doesn't become a clickable link along with a preview of the url. If I remove the two occurrences of the letter 'Æ' (which thankfully is still a valid url for the Reddit post) and then make another change then a preview appears.If I send a message with the original url then that message contains a clickable link in the iOS app but not on desktop.
If I paste the original url in the iOS app then it generates a preview and a clickable link just fine.
So it seems the desktop version has a slightly different way of handling url detection.
I've attached a brief screen recording demonstrating the issue:
special_chars_in_url.mov
Steps to Reproduce
https://www.reddit.com/r/Denmark/comments/kwc0jz/æble_eller_pære/
in the message input fieldActual Result:
The url remained plain text, e.g. not a clickable link, and no preview was produced.
Expected Result:
I expected the url to be transformed into a clickable link and a preview to be attached to my message.
Screenshots
Platform Info
Signal Version: v1.39.4
Operating System: macOS Catalina 10.15.7
Linked Device Version: 5.0.3.0 (iOS)
Link to Debug Log
https://debuglogs.org/c367cd3a70c3af7567d28c9f9df47c42ca8e85ef7faa1631760d5b1379656628
The text was updated successfully, but these errors were encountered: