This article talks about how the new text protocls approved by ICANN can be used by criminals to make completely identical "paypal.com" urls :-
http://mashable.com/2010/01/01/idn-phishing/

What you end up seeing in your browser is "paypal.com" but in cyrillic alphabet it is really "raural.com". It just depends on how hte browser renders the cyrillic into a readable font on your mahcine.

Any idea how kneleon could handle it? Apparently firefox uses "punycode" but i have not read what that is in detail on wikipedia.

Interesting stuff!

btw -- the suggested workaround is to always type your own "paypal.com" link in and now rely on a website link to reach it.

Very interesting article. I have cyrillic fonts installed, would that be of any help?

You can check the host IP to verify authentication site.
There are some KM extensions to do it.

K-Meleon in Spanish

Quote
branson
Apparently firefox uses "punycode" but i have not read what that is in detail on wikipedia.

Any idea how kneleon could handle it? Apparently firefox uses "punycode"

No idea about tech. details. The same way as Firefox. K-Meleon uses punycode.


p.s. Firefox and K-Meleon share the same infrastructure.

The chief difference between the two browsers is how the GUI is done.

I have seen punicode - I speak a language that has more letters than en-US.



Edited 1 time(s). Last edit at 01/02/2010 05:42PM by guenter.

Hmm, just wondering, wouldn't it be easier to simply allow only a chosen font for the URL-bar, a font which can only display ASCII-characters and for all the others displays a little box or "?" or something... Or, perhaps it can even display stuff like äöüß, meaning all those characters, which may not exist in ASCII but clearly look DIFFERENT enough, so they can't be confused with any other character when reading them... Meaning not the same "look" allowed for two different characters...

Just a macro with an accelerator or menu shortcut.

Checking $URL string is equal to xxx text, then, site secure.

Let's say we are at some paypal domain:

$aaa = index($URL, "paypal");

$aaa != -1 ? alert("this is not paypal") : alert("you are safe") ;

Quite easy.

So is this just about the URL bar? I always depend on the status bar link info when hovering over links before I click'm.

From what I understand it's about UTF-8 fonts, so if the same font is used for URL-bar and status-bar, both would look the same...

www.xn--fhrerschein-ohne-mpu-pec.de. This is how punicode looks. From an old statistic, an old site. Not updated for long.

The current site will redirect You? Else now its URL actually looks like:
http://www.führerschein-ohne-mpu.de/index.html.

Probable reason: Umlaut domains have become possible.

Punicode is a way to refunel other Alphabets into ASCII (American Standard Code for Information Interchange). Which was originally the only allowed Alphabet for domain names.

The recent changes were needed to have sensible domain names in all languages.
AFAIK any "Alphabet" is allowed now in domain names. It alleviates a shortage.

Any demand that letter combinations miss-guiding the English speaking minority on this planet MUST be banned or prevented are IMHO obsolete. The majority of potential (maybe even current) Netizens uses languages that do not have ASCII symbols.

p.s. It is up to Payapal to occupy extra domains to protect its customers.
IMHO the market will take care of companies that cannot protect their own interests.



Edited 3 time(s). Last edit at 01/02/2010 09:50PM by guenter.

Quote
jsnj
So is this just about the URL bar? I always depend on the status bar link info when hovering over links before I click'm.

Quote
siria
From what I understand it's about UTF-8 fonts, so if the same font is used for URL-bar and status-bar, both would look the same...

Depends of the font you have in your system to display Windows texts. If you have a non-UTF font or a font like Lucida console, you can easily know looking at your status bar, but that's ugly to see that font on the system.

Quote
guenter
p.s. It is up to Paypal to occupy extra domains to protect its customers.
IMHO the market will take care of companies that cannot protect their own interests.

I don't think we must charge this responsibility on companies, only.

With a bit of code, talking about browsers, maybe alerting when UTF domain name is used, and/or, about users, simple macros as I told or plugins, or, you know.

In security, comfort is not equal to security. Bother yourself on your own security

Yep, my view exactly! What does it help you, that you walked over the street at green lights, without looking left or right because it's the job of the cars to stop at red, if a car has run you over anyway?? :cool:

To exclude possibility completely You must bar or better own the relevant NAMES/IPs.

Technical solutions on the browser side take time and devs to develop.
Companies got to think ahead and be there before the crooks.

Else You will run like the hare in the German Fairy tale.
Cause the hedgehogs will always tell that they are there already.

p.s. was hilft die Ampel und das Gucken, wenn das Auto im Dunkeln ohne Licht kommt?

Die Firmen müssen für die Sicherheit sorgen - die Entwicklung oder Domänsperrung zahlen.



Edited 2 time(s). Last edit at 01/03/2010 11:31PM by guenter.

Just a side note, because I stumbled over this while searching something else (as usual :cool

http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
Pref: network.enableIDN
Determines whether to use IDN (International Domain Name) support in the browser

There's quite a list of hits for "IDN" in about:config, incl. black- and whitelists etc. Played a bit with it, just for curiosity

network.enableIDN = true:
www.bücher.com opens a page, the URL Bar turns into www.xn--bcher-kva.com

network.enableIDN = false:
www.bücher.com says "Address not found"

So, as long as someone can live with surfing only on ASCII-name-domains, that setting would ensure that only those are found.
Thinking about it, since this involves just toggling a pref, it could make a nice addition for the privacy menu for the paranoid... (like me)
And thinking yet again, hmm - and what if someone gets a domain paypaI?? (big "i" instead of small "l", depending on the used font rather inconspicuous... Or "0" instead of "O"... zero/o... etc)



Edited 1 time(s). Last edit at 01/31/2010 01:36AM by siria.

Quote
siria
And thinking yet again, hmm - and what if someone gets a domain paypaI?? (big "i" instead of small "l", depending on the used font rather inconspicuous... Or "0" instead of "O"... zero/o... etc)

That is already being used by phishing attacks so if you haven't fall in the trap until now, I think you won't in the future.

But anyway, with the method I told (above) or changing the system font to a monospace one or just pasting in notepad, would be enough.

Security != to comfort.

Be used to it.



Edited 1 time(s). Last edit at 01/31/2010 02:06AM by JohnHell.

I got a newsletter from OpenDNS yesterday:

"PhishTank report: Top phishing trends in January 2010
PhishTank

As an OpenDNS user, you're more mindful than the average netizen about securing your network and protecting your household. Protection from phishing (fraudulent attempts to steal your personal information via email) is turned on by default in all versions of OpenDNS. We offer some of the best phishing protection available, powered through our PhishTank anti-phishing effort.

Every month PhishTank produces the most accurate and timely statistics about phishing on the Internet. Here's a peek at what you and yours should be on the lookout for this month.

Phishes spoofing the following organizations or brands:

* PayPal
* Facebook
* The Internal Revenue Service (USA)"

So make a favor to yourself using OpenDNS. I have it for long time.

test punycode...

führerschein.de
bücher.net

Can't believe that, first wondered if it has anything to do with the way a page is opened (highlight text / open as url?), but now see it depends on the country code! :O

Just typed both addies with my own keyboard directly into the url bar, and both contain the exactly same german umlaut character "ü". But only the second one is shown in punycode, in status bar and url bar: "xn--bcher-kva.net"
The first link is still displayed as "führerschein.de" in both bars.

Checking about:config I find those current *default* settings:
network.IDN_show_punycode = false
network.enableIDN = true
And an endless list of "idn.whitelist" entries, all by default "true"
Will have to play a bit with those...

---
Setting both to "false" makes that now ALL "ü" are shown as "ü", not puny
---
Setting both to "true" makes that now ALL "ü" are shown and opened as puny:
xn--fhrerschein-thb.de + xn--bcher-kva.net

network.IDN_show_punycode = true also makes that the whitelist is ignored, acc. to the pref description.
---

And there I had thought all the time that it would work on all sites, OOPS!
Call me paranoid, but browser settings are my only protection, am not ready to rely on all companies all over the world to 100% protect all their x other "identic looking" domain possibilities in all alphabets and countries. Now hurrying to modify this setting also for brandnew "default" profiles...
By adding in k-meleon/defaults/pref a new file, alongside my other personal useragents and searchengines sheet, let's call it now
"my_othersettings.js", and give it the content
//###### Shows URL in punycode for all country domains, and ignores whitelist:
pref("network.IDN_show_punycode", true);
And now copy over that file into my other KM versions...

IMHO that could also use a little checkbox in pref sheets. Or a privacy menu toggle, if e.g. russian users occasionally want to toggle on-off... or... no idea... ;-)



Edited 5 time(s). Last edit at 04/10/2011 09:22AM by siria.