Issue metadata
Sign in to add a comment
|
Security: IDN punycode not displayed for misleading cyrillic .com domain
Reported by
calderon...@gmail.com,
Oct 12 2017
|
||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS Browsing to a non-latin ".com" domain with cyrillic character isn't displayed in it's punycode version. Hence, users which have been tricked into clicking on the phishing link will be show the misleading address in the URL bar. As said in previous reports, this is problematic in many ways and the current set of forbidden characters for ".com" domains isn't complete enough or is not working as intended. I registered today the following domain: xn--x1aaa.xn--80aa1boaj3b9g.com which maps to шнатѕарр.com. I was expecting the punycode version to be displayed but this is not the case on MacOS, Linux and Android. I was also able to get a Let's Encrypt certificate for this domain which allows me to browse it using HTTPS. VERSION Chrome Version: Version 61.0.3163.100 (Official Build) (64-bit) / Version 61.0.3163.98 (Android) Operating System: OSX 10.11.6 (15G31) / Ubuntu Linux 16.04 LTS amd64 / Android 7 REPRODUCTION CASE Browse the following url: https://шнатѕарр.com
,
Oct 13 2017
I do not have access to Issue 773930 .
,
Oct 17 2017
,
Oct 25 2017
Hey there, is it possible to grant me access to #773930 so that I can follow the discussion there given my issue has been merge with it?
,
Apr 13 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 19
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Oct 12 2017Components: UI>Browser>Omnibox UI>Internationalization
Status: Untriaged (was: Unconfirmed)