Re: [Tails-dev] [Tails-support] Tails Browser Vulnerability

Delete this message

Reply to this message
Autor: intrigeri
Data:  
Para: Tails developers
Assunto: Re: [Tails-dev] [Tails-support] Tails Browser Vulnerability
hi,

[redirecting to tails-dev@, Bcc'ing -support@ once.]

Whitey:
> intrigeri:
>> Whitey:
>>> https://www.theregister.co.uk/2017/04/18/homograph_attack_again/
>>
>>> The article shows links that look like "apple.com" or "epic.com", but
>>> are actually "xn--80ak6aa92e.com" and "xn--e1awd7f.com".


Let's get this straight first, to avoid basing our reasoning on
mistaken assumptions: they are something that very much looks like
"apple.com" and "epic.com" visually, but that is not "apple.com" nor
"epic.com", and that can optionally be encoded and displayed as
"xn--80ak6aa92e.com" and "xn--e1awd7f.com" (punycode encoding).

>>> At the present time it affects Firefox 52 and it's derivatives, as well
>>> as Chrome 57.
>>
>> Please check if the Tor Browser developers are aware of it,
>> and if not, let them know: this is not the kind of things that should
>> be fixed in Tails only.


> O.K., did that


Thanks. For the record, the Tor Browser ticket about it is:
https://trac.torproject.org/projects/tor/ticket/21961

> but Tails developers should address the issue no matter
> what the Tor Browser developers do.


Relevant info can also be found there:
https://bugzil.la/1332714
https://www.chromium.org/developers/design-documents/idn-in-google-chrome

My understanding is that this is a complex issue, that has no
obviously good solution: _always_ displaying punycode, as was
suggested on this thread, would substantially harm web usability for
users of languages written in non-Latin scripts. And the current state
of things can make successful phishing attacks easier.

So from where I stand, I'd rather let Mozilla and Tor Browser people
make up their mind first, and come back to it once the dust has
settled, decisions have been made, and we can draw inspiration from
their reasoning.

> On a non-Tails Tor Browser
> installation the user can change the setting himself and it will persist
> after a reboot. User Tor Browser configuration changes in Tails,
> however, are not persistent.


Sure, this is a strong argument in favour of shipping good default
settings that work for most users. As said above, it's not obvious to
me that the defaults we ship in Tails currently are worse than the
other option, all things considered.

Cheers,
--
intrigeri