This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Support
Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Do not show punycode for URLs when all characters in the domain name do not have ASCII lookalikes

tyzbit
New member
‎04-02-2024 10:18 AM
Status: New idea

Since 2003, Punycode has been available to encode a wider character set than ASCII into domains that still adhere to rules for domain names. This allows users to enter characters from languages with alphabets larger than or in the place of ASCII characters for domain names and have them resolve as expected.

A major downside of Punycode and support for expanded character sets for domain names is known as International Domain Name homo graph attack: https://en.wikipedia.org/wiki/IDN_homograph_attack#Homographs_in_internationalized_domain_names . This allows attackers to show a domain name that looks extremely similar to a more well-known domain name in order to pilfer data. From Wikipedia:

For example, a regular user of exаmple.com may be lured to click on it unquestioningly as an apparently familiar link, unaware that the third letter is not the Latin character "a" but rather the Cyrillic character "а" and is thus an entirely different domain from the intended one. 

Firefox (as released with English as the default language) handles this by decoding all internationalized domain names as their decoded forms, so `I❤️.ws` gets decoded as `xn--i-7iq.ws`. This is a safe way to defend against IDN attacks, however the user experience is poor. Whether the user clicked a link or even if the user directly typed the URL, the address becomes a string of letters that do not have any meaningful interpretation for a user.

I propose that for a subset of the extended character set allowed via Punycode, characters that do not have ANY ASCII lookalikes (for example, kanji or emojis) in the entire domain are not decoded and instead are rendered with their non-Punycode encoded characters.

In addition to a more pleasant experience for users using domains with characters other than ASCII, it would also improve the experience for domains with emoji in them. A large portion of emoji are also easily distinguishable from ASCII characters. If the domain has even one character that is visually similar to an ASCII character, Firefox should retain current behavior by decoding the domain and presenting that to the user.

See more ideas labeled with:
Comment
2 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager
‎04-02-2024 01:31 PM
‎04-02-2024 01:31 PM

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Kappa
Making moves
‎04-12-2024 10:14 PM
‎04-12-2024 10:14 PM

Not a fan. As far as I know, Firefox does not show punycode by default and that's a flag you have to enable manually. Which is the main problem here as it's an obvious attack vector.

However, if your suggestion were to be implemented:

  •  You'd have to create/maintain an "official" set of characters which do have lookalikes in God knows what Unicode page (granted, these lists exist already)

    • Any character that is missing from this list (either because it was added to Unicode at a later point, or because it was missed initially) would then be even more dangerous, since users would be fooled into thinking they're safe when they're not
Copyright © 2024 Khoros, LLC