On Wed, Apr 19, 2017, at 16:08, John Lane wrote: > Interesting article[1] on the register today about internationalised > domain name (IDN) spoofing using Punycode[2]. > > I think it's quite alarming that many browsers show you what looks like > apple.com which in reality is something entirely different. That's > something new I've learnt today! > > This can be configured against in Firefox about:config by setting > "network.IDN_show_punycode=true"
I thought all of this was fixed years ago by normalizing various homographs to their Latin variant. Guess not :-/ There are some other fixes we could do as well. If we see that punicode is being used, we can try to do a lookup to the normalized domain name, and if it exists, use that (possibly with a warning). That way the "Cyrillic Apple" becomes regular ol' apple.com. I don't know how fool-proof unicode normalisation is, though. Unicode is pretty large, so there may be oversights? Another, safer, way would be to improve on the Firefox setting by including a whitelist of codepoints for common "safe" scripts, such as Arabic, Hangul, Chinese, Kanji, and perhaps a few others. If all characters fall in that range: show the codepoints, else show the punycode. That particular domain from the article uses Cyrillic, so we can't add that to the whitelist.
