Hi,
while the presented fake slash seems the best way to obviously scream
THIS IS AN ATTACK, the fake question mark made me try to wipe some dirt
from the screen until realizing that it is part of the character. I
think I have found a way better workaround that will not be
circumvented once someone bothers to look for more characters. The
solution is:
network.IDN_show_punycode = true
Of course this is not possible for some users, but most average users
(US/UK/DE) should not need IDN. As a german user (we have umlauts), I
do not know a single site that uses them in the domain name, except for
one that immediately redirects to an ascii-only domain. So it might be
worth considering if we do not simply ask users if they want full IDN
or rather punycode, or issue a warning pop-up on IDN sites ("This site
uses unusual characters in the domain name. If you expected this,
please ignore this warning, otherwise it might be an attack. Proceed
with caution")
BTW: Character 2215 and 2044, maybe also 2571, 3003 seem similar, all
are "fake slashes". I guess you want to blacklist them too if you try
that way. 244A might be nasty too (double backslash as one char, may
look like a trusted "local windows server"). Many fake pipe symbols
too.
Jan
--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
