New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 668905 link

Starred by 1 user
Status: WontFix
Owner: ----
Closed: Nov 2016
Cc:
mgiuca@chromium.org
js...@chromium.org
pkasting@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Unicode chanrasters in omnibox not highliting

Reported by kaspergr...@gmail.com, Nov 27 2016 
If the highlight not latin characters in omnibox, you can reduce the risk of fishing atack
2016-11-27_23-58-00.png
8.3 KB View Download

Comment 1 by dominickn@chromium.org, Nov 28 2016

Labels: Needs-Feedback
Can you please clarify whether you are suggesting:

1) non-latin characters should be highlighted in the omnibox (feature request)

2) there is some security issue because when you highlight the URL in the omnibox, non-latin characters aren't highlighted?

Comment 2 by kaspergr...@gmail.com, Nov 28 2016 

1. it`s future request

first adress example
https://bugs.chromium.org

and adress
https://bugs.chrоmium.org

in the first case, using the Latin o. In second case, using russian letter о.
But 'look exactly the same, so you cannot trust what is written in the Omnibox. It can always be fishing attack

Comment 3 by dominickn@chromium.org, Nov 29 2016

Cc: mgiuca@chromium.org

Comment 4 by mgiuca@chromium.org, Nov 29 2016

Cc: js...@chromium.org pkasting@chromium.org
Components: UI>Browser>Omnibox
#2 I can't reproduce this on Linux. Can you provide details about your platform and Chrome version (from chrome://version)?

Chrome already has protection built in for this: domains with mixed scripts are shown in Punycode so it's obvious they are not right.

See attached screenshot: the second URL (https://bugs.chrоmium.org) shows up as https://bugs.xn--chrmium-cjg.org/.

If there is a bug here, it's because the domain label "chrоmium" is not being correctly converted into Punycode (there is no highlighting required).
omnibox-idna.png
7.4 KB View Download

Comment 5 by pkasting@chromium.org, Nov 29 2016

Status: WontFix (was: Unconfirmed)
I don't think this is a report of an existing Chrome bug (see first words of comment 2), it's an issue the reporter is assuming is a potential problem, which we actually already protect against.

Comment 6 by mgiuca@chromium.org, Nov 29 2016

Status: Unconfirmed (was: WontFix)
#5: But the reporter attached an actual screenshot of the problem (see initial report).

I suspect what's really going on is that the reporter has pasted the URL into the address bar but not confirmed it yet, in which case this is WAI. But I will wait until they confirm that.

Comment 7 by pkasting@chromium.org, Nov 29 2016

Status: WontFix (was: Unconfirmed)
That's a screenshot of the normal URL, with the 'o' circled saying "if this weren't a Latin character, there would be a problem".

You can tell because there is no bugs.chrоmium.org today (it's NXDOMAIN).

Comment 8 by mgiuca@chromium.org, Nov 29 2016 

#7 You mean there is no bugs.xn--chrmium-cjg.org today, and if one navigated there it would show a grey "https" with no padlock?

Good point, this can't be a legit screenshot.
Project Member

Comment 9 by sheriffbot@chromium.org, Mar 7 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment