fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

“There’s no surefire way to detect either malicious Google ads or punycode-encoded URLs. Posting ķeepass.info into all five major browsers leads to the imposter site.”

Ah, yes. But, using Privacy Browser Android, the true punycode URL of xn--eepass-vbb.info/ is revealed.

arstechnica.com/security/2023/

@lanodan I think it has a lot more to do with the GUI code than the rendering engine code. In my testing, Chrome and Firefox for Android do not display the correct URL. Lightning behaves correctly the same as Privacy Browser Android. FOSS Browser and Fulguris (a fork of Lightning) change the URL, but they cover it up with the website title, so you can't see it unless you tap to edit it.

@lanodan “This function provides protection against IDN homograph attacks, so **in some cases** the host part of the returned URI may be in Punycode if the safety check fails.”

Do you know which are the cases where it displays the punycode and which are the cases where it doesn’t?

@privacybrowser Been a while since I checked the source code of it but if I remember correctly: It displays human-readable punycode/percent-encoded characters, unless there is known homographic characters (which are probably identified via ICU).

It's not great (like an hostname entirely in greek/cyrillic ought to be human-readable), but I would say it's safe enough.

The only real way to be safe anyway is by using bookmarks and an integration of password managers which matches on the hostname (because you don't always remember the exact spellings of websites).

While I'm at it: Consider using a font like monospace for URLs.

@lanodan I have to disagree with you on the password manager. Everyone should use an offline password manager that does not sync to some cloud service, but for security and privacy reasons, nobody should use a password manager that integrates with their web browser.

You never want something that is processing untrusted data inputs (a web browser) having any connection path to the data store that holds your passwords.

@privacybrowser integrated ≠ embedded/bundled

Putting it roughly, integration is when you have different software capable of depending on each others.

@lanodan That is a good distinction, but even integrated is too much of a security compromise for me to be able to recommend it to anyone.

@privacybrowser How?
Because the only real way of being sure the hostname matches is to be able to check for a match, and a computer is ridiculously good at this while a human will fail (dyslexia is a thing you know).

I don't mean a requirement on auto-filling information by the way, those ought to not exist due to things like JavaScript and hidden forms.

@lanodan If you are typing a password into a website, it better be because you typed the URL or loaded it from your own bookmark.

If you go back to the original article, it was about someone downloading a compromised version of KeePass from an invalid website (ironic in the context of a discussion of password managers). KeePass is what I use myself, but I don't tend to find their website through a Google ad before initiating the download.

Soren Stoutner

@lanodan How exactly would you recommend going to a new website, creating an account, and typing in the password without some version of typing the URL for the website where you want to create an account? I fail to see how any password manager is going to do this for you.

@privacybrowser For this particular case you're giving a *new* password (right?), not an existing one, so you're not leaking anything.