hi, [redirecting to tails-dev@, Bcc'ing -support@ once.]
Whitey: > intrigeri: >> Whitey: >>> https://www.theregister.co.uk/2017/04/18/homograph_attack_again/ >> >>> The article shows links that look like "apple.com" or "epic.com", but >>> are actually "xn--80ak6aa92e.com" and "xn--e1awd7f.com". Let's get this straight first, to avoid basing our reasoning on mistaken assumptions: they are something that very much looks like "apple.com" and "epic.com" visually, but that is not "apple.com" nor "epic.com", and that can optionally be encoded and displayed as "xn--80ak6aa92e.com" and "xn--e1awd7f.com" (punycode encoding). >>> At the present time it affects Firefox 52 and it's derivatives, as well >>> as Chrome 57. >> >> Please check if the Tor Browser developers are aware of it, >> and if not, let them know: this is not the kind of things that should >> be fixed in Tails only. > O.K., did that Thanks. For the record, the Tor Browser ticket about it is: https://trac.torproject.org/projects/tor/ticket/21961 > but Tails developers should address the issue no matter > what the Tor Browser developers do. Relevant info can also be found there: https://bugzil.la/1332714 https://www.chromium.org/developers/design-documents/idn-in-google-chrome My understanding is that this is a complex issue, that has no obviously good solution: _always_ displaying punycode, as was suggested on this thread, would substantially harm web usability for users of languages written in non-Latin scripts. And the current state of things can make successful phishing attacks easier. So from where I stand, I'd rather let Mozilla and Tor Browser people make up their mind first, and come back to it once the dust has settled, decisions have been made, and we can draw inspiration from their reasoning. > On a non-Tails Tor Browser > installation the user can change the setting himself and it will persist > after a reboot. User Tor Browser configuration changes in Tails, > however, are not persistent. Sure, this is a strong argument in favour of shipping good default settings that work for most users. As said above, it's not obvious to me that the defaults we ship in Tails currently are worse than the other option, all things considered. Cheers, -- intrigeri _______________________________________________ tails-support mailing list [email protected] https://mailman.boum.org/listinfo/tails-support To unsubscribe from this list, send an empty email to [email protected].
