[tor-bugs] #21961 [Applications/Tor Browser]: should torbrowser enable network.IDN_show_punycode by default?
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jul 19 05:54:28 UTC 2017
#21961: should torbrowser enable network.IDN_show_punycode by default?
--------------------------------------+------------------------------
Reporter: cypherpunks | Owner: tbb-team
Type: enhancement | Status: needs_review
Priority: Immediate | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+------------------------------
Comment (by cypherpunks):
The fact that Chrome/Chromium has this mitigated, while Firefox has
stubbornly refused to change their behavior, calling it someone else's
problem, is one of the many reasons that people (rightfully) criticize
Firefox and its devs for having poor security. Imagine how easy it would
be for an administrator of a dissident website, or the code repository
website for a critical or popular program (such as Tor?) to be
compromised.
Perhaps only enable the punycode feature when not on the lowest security
level? The description in the browser security slider could say "Domains
with unicode may not display properly", with the mouseover text saying
"Characters that can be used to create a domain that looks identical to an
existing domain will be displayed differently".
I'm going to have to require all the important members of a website I own
to log in exclusively using client certificates, since they will only work
on the correct domain. I would much rather if I did not have to do
something which has an impact on my users just because poorly-secured
browsers insist on this being someone else's problem.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21961#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list