The bot skips an important point. The site looks really close to the genuine site, only difference being “ķeepass dot info” and not “keepass”. Definitely easy to miss.
I feel like browsers should flag urls with unicode in their domains as suspicious by default. Maybe they already do, not sure. It’s honestly surprising to me in 2023 if they don’t.
I wouldn’t mind if FF popped up and said “hey, take another look at that URL” and very clearly drew attention to the weird k character. Of course it would have a “I’m absolutely sure this isn’t a scam, I own this domain or know who owns it and you don’t need to warn me about it in the future” button, but better safe than sorry.
FF Desktop shows xn–eepass-vbb[.]info for me. (Edit: Was just told on HN that I have a non-default flag, in about:config set network.IDN_show_punycode to true if you want this behavior)
FF Android redirects me to the real keepass page and I have no idea why :D
You are probably joking, but yes. Someone else using curl also got redirected to a Rick Roll YT video, apparently the creator of the malware had some fun with it before they shut it down, their “Look I’m on TV moment” ;)
This should be ON by default, in my opinion. Also, I believe Mozilla has a massive opportunity here to demarcate themselves as the more security-conscious browser vendor. “This phishing trick works on all major browsers except Firefox” would be great publicity material.
Not that easy, imo. I’m pretty sure there are countries, especially with non-latin alphabets, who regularly use IDNs.
edit: Including Germany, where FF on Desktop is still a mainstream browser at around 20% (and I’d bet FF gets regularly undercounted because FF users are more likely to block trackers).
They could add some kind of warning message that notifies you when the URL has unicode in it. Then the user can decide if they want to disable the warning or not.
That’s true. Also I guess domain names in most ideogram-based languages cannot be meaningfully converted to ASCII. The best detection method I’m aware of is detecting a mix of different alphabets in the domain, but I imagine even this has a lot of false positives
Turning it on by default would be a massive disservice to the work that domain registries and registrars have been doing to allow Unicode to be used in domain names. In Spanish speaking countries the ñ character is pretty ubiquitous for example, and the workaround of replacing it with an n creates many problems like misdirected web traffic and typos in email addresses. Unicode in URLs and domain names is a feature, abuse should be attacked by means other than disabling it.
I thought that they only show unicode chars if they are used in one of the installed languages of the browser and if not they show the punycode instead 🤔
The bot skips an important point. The site looks really close to the genuine site, only difference being “ķeepass dot info” and not “keepass”. Definitely easy to miss.
I feel like browsers should flag urls with unicode in their domains as suspicious by default. Maybe they already do, not sure. It’s honestly surprising to me in 2023 if they don’t.
I wouldn’t mind if FF popped up and said “hey, take another look at that URL” and very clearly drew attention to the weird k character. Of course it would have a “I’m absolutely sure this isn’t a scam, I own this domain or know who owns it and you don’t need to warn me about it in the future” button, but better safe than sorry.
FF Desktop shows xn–eepass-vbb[.]info for me. (Edit: Was just told on HN that I have a non-default flag, in
about:config
setnetwork.IDN_show_punycode
totrue
if you want this behavior)FF Android redirects me to the real keepass page and I have no idea why :D
deleted by creator
Lol are you sure?
You are probably joking, but yes. Someone else using curl also got redirected to a Rick Roll YT video, apparently the creator of the malware had some fun with it before they shut it down, their “Look I’m on TV moment” ;)
deleted by creator
This should be ON by default, in my opinion. Also, I believe Mozilla has a massive opportunity here to demarcate themselves as the more security-conscious browser vendor. “This phishing trick works on all major browsers except Firefox” would be great publicity material.
Not that easy, imo. I’m pretty sure there are countries, especially with non-latin alphabets, who regularly use IDNs.
edit: Including Germany, where FF on Desktop is still a mainstream browser at around 20% (and I’d bet FF gets regularly undercounted because FF users are more likely to block trackers).
They could add some kind of warning message that notifies you when the URL has unicode in it. Then the user can decide if they want to disable the warning or not.
That’s true. Also I guess domain names in most ideogram-based languages cannot be meaningfully converted to ASCII. The best detection method I’m aware of is detecting a mix of different alphabets in the domain, but I imagine even this has a lot of false positives
Seems to be on by default in Librewolf(I just checked mine from the AUR on Arch), maybe consider that one!
Turning it on by default would be a massive disservice to the work that domain registries and registrars have been doing to allow Unicode to be used in domain names. In Spanish speaking countries the ñ character is pretty ubiquitous for example, and the workaround of replacing it with an n creates many problems like misdirected web traffic and typos in email addresses. Unicode in URLs and domain names is a feature, abuse should be attacked by means other than disabling it.
I thought that they only show unicode chars if they are used in one of the installed languages of the browser and if not they show the punycode instead 🤔
I was just pointed to this https://kb.mozillazine.org/Network.IDN.whitelist.* URL, FF has a limited whitelist of TLDs where they allow IDNs. It just seems that .info happens to be one of them.
Incredibly easy to miss, damn.