Issue metadata
Sign in to add a comment
|
U+0D1F and U+0D2F can be used to spoof 'so.com' |
||||||||||||||||||||||||
Issue descriptionSpun off from bug 756866 comment 12 (reported by xisigr@gmail.com ) > Real site: https://www.so.com > spoof site: https://www.ടഠ.com/ This has to be dealt with in a separate bug. There's no script mixing. U+0D1F and U+0D20 look like Latin 's' and 'o', respectively. Unicode util web site is down at the moment and I haven't checked if U+0D1F and U+0D20 are considered confusable with 's' and 'o' (I guess they're). If they're and 'so.com' is in the top domain list, it'd be blocked.
,
Nov 14 2017
,
Nov 15 2017
,
Dec 4 2017
A CL is up for review at https://chromium-review.googlesource.com/c/chromium/src/+/805214
,
Dec 4 2017
,
Dec 5 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/b3f0207c14fccc11aaa9d4975ebe46554ad289cb commit b3f0207c14fccc11aaa9d4975ebe46554ad289cb Author: Jungshik Shin <jshin@chromium.org> Date: Tue Dec 05 09:35:25 2017 Add a few more confusable map entries 1. Map Malaylam U+0D1F to 's'. 2. Map 'small-cap-like' Cyrillic letters to "look-alike" Latin lowercase letters. The characters in new confusable map entries are replaced by their Latin "look-alike" characters before the skeleton is calculated to compare with top domain names. Bug: 784761 , 773930 Test: components_unittests --gtest_filter=*IDNToUni* Change-Id: Ib26664e21ac5eb290e4a2993b01cbf0edaade0ee Reviewed-on: https://chromium-review.googlesource.com/805214 Reviewed-by: Peter Kasting <pkasting@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/heads/master@{#521648} [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/idn_spoof_checker.cc [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/idn_spoof_checker.h [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/alexa_domains.list [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/alexa_skeletons.gperf [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/top_domains/make_alexa_top_list.py [modify] https://crrev.com/b3f0207c14fccc11aaa9d4975ebe46554ad289cb/components/url_formatter/url_formatter_unittest.cc
,
Dec 5 2017
,
Dec 5 2017
will bake in canary/dev channel for a while before asking for merge to 63 branch.
,
Dec 6 2017
,
Dec 8 2017
I had independent submitted this bug in issue 759995 . This bug is a perfect clone of so.com, is this SecSeverity-Low?
,
Jan 3 2018
Asking for merge to 64 branch. The CL recorded in comment 8 is simple and safe. It has been baked in 65.x for a month.
,
Jan 3 2018
This bug requires manual review: Less than 16 days to go before AppStore submit on M64 Please contact the milestone owner if you have questions. Owners: cmasso@(Android), cmasso@(iOS), kbleicher@(ChromeOS), abdulsyed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jan 3 2018
> The CL recorded in comment 8 is simple and safe. It has been baked in 65.x for a month. In addition to this bug, the cl also fixed bug 773930 (also slated for M64).
,
Jan 4 2018
Approving merge to M64. Branch:3282
,
Jan 5 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/908ed3e510e06341b8e9143c5e5cea94dad30e30 commit 908ed3e510e06341b8e9143c5e5cea94dad30e30 Author: Jungshik Shin <jshin@chromium.org> Date: Fri Jan 05 19:46:54 2018 [M64 branch] Add a few more confusable map entries 1. Map Malaylam U+0D1F to 's'. 2. Map 'small-cap-like' Cyrillic letters to "look-alike" Latin lowercase letters. The characters in new confusable map entries are replaced by their Latin "look-alike" characters before the skeleton is calculated to compare with top domain names. TBR=jshin@chromium.org (cherry picked from commit b3f0207c14fccc11aaa9d4975ebe46554ad289cb) Bug: 784761 , 773930 Test: components_unittests --gtest_filter=*IDNToUni* Change-Id: Ib26664e21ac5eb290e4a2993b01cbf0edaade0ee Reviewed-on: https://chromium-review.googlesource.com/805214 Reviewed-by: Peter Kasting <pkasting@chromium.org> Commit-Queue: Jungshik Shin <jshin@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#521648} Reviewed-on: https://chromium-review.googlesource.com/852973 Reviewed-by: Jungshik Shin <jshin@chromium.org> Cr-Commit-Position: refs/branch-heads/3282@{#421} Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840} [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/idn_spoof_checker.cc [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/idn_spoof_checker.h [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/alexa_domains.list [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/alexa_skeletons.gperf [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/top_domains/make_alexa_top_list.py [modify] https://crrev.com/908ed3e510e06341b8e9143c5e5cea94dad30e30/components/url_formatter/url_formatter_unittest.cc
,
Jan 22 2018
,
Jan 25 2018
This bug may assigned a CVE ID ?
,
Mar 14 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Mar 27 2018
,
Apr 12 2018
I noticed the issue I reported have been fixed for long time. Has it been assigned CVE number for me? Would anybody give me an explanation?
,
Apr 27 2018
,
Oct 5
,
Oct 19
|
|||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||
Comment 1 by js...@chromium.org
, Nov 14 2017