Documented here:
https://www.kicksecure.com/wiki/Social_Engineering#IDN_Homograph_Attacks
https://www.xudongz.com/static/942a1d48cb68b8678e2713249d1ae7ceaf9fa4c39767562a8caf6cc856626160.png
Awful. 3 years unfixed Mozilla @firefox
#security issue. And @mozilla
refuses to fix it. Tor Browser also affected. @torproject
https://www.аррӏе.com/ shows up as apple.com. Even including green SSL lock. But it is a demonstration, proof of concept of a phishing side by a security researcher.
https://www.xn--80ak6aa92e.com/
shows up as https://www.apple.com
.
Note: there is nothing apple specific about this issue. Apple was just used as an example by the security researcher. Responsible for this issue is Firefox.
I can’t even find Mozilla’s rationale for being adamant about this. 3 years ago they wrote:
We now have an FAQ which makes our position clear:
IDN Display Algorithm FAQ - MozillaWiki
Nowadays this wiki page is empty (links to another empty wiki page).
Any reason why it is not enabled by default in Firefox? Any reason against enabling it?
Workaround: got to about:config
in Firefox URL bar, search for network.IDN_show_punycode
and double click to change its setting from false
to true
.
References:
- Tor Browser bug report: Use sane about:config value: network.IDN_show_punycode = true (#27887) · Issues · Legacy / Trac · GitLab
Screenshot:
https://www.xudongz.com/static/942a1d48cb68b8678e2713249d1ae7ceaf9fa4c39767562a8caf6cc856626160.png
Thanks to @madaidan for pointing out this issue on telegram. Quote @madaidan:
Weird this hasn’t been enabled yet.