Closed
Bug 233865
Opened 21 years ago
Closed 9 years ago
URL: DNS: very long domain name (VLDN) as spoofing
Categories
(Firefox :: Address Bar, defect)
Firefox
Address Bar
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: benc, Unassigned)
References
()
Details
(mentioned in several places, including bug 232567#c2)
A URL that has a very long domain name can sometimes be used to deceive a user:
The general confusion is created by either user ignorance of the URL syntax
(where does the hostname begin and end?) and is possibly aided by UI that
truncates the hostname.
http://www.microsoft.com.windows.2000.badsite.com
There are several aspects of this that should be noted.
1- what are valid characters in the hostname? are there characters that could be
used to suggest, visually, that a hostname has ended (when syntactically it has
not)?
2- are UI elements doing any unescaping or filtering of hostname charaacters
that change the displayed URL -or- confuse users?
3- are there UI elements that are truncating (edge of text box or "..." after a
certain length)?
If necessary to avoid drift, if these items become full blown issues that need
to be fixed via patch, lets break out new bugs quickly.
NOTE:
This threat is probably a lower priority than the other two issues (bug 232567
and bug 122445), because in most cases there is a clear line of authority both
for who configured the spoof, and who can turn it off. A hostmaster would have
to either delgate a subdomain or have made the configuration themselves. The
spoofing domain is likely a trademark or other intelectual property violation
that can be quickly addressed through legal channels, and/or cutting off the
offending domain at the TLD.
Comment 1•20 years ago
|
||
There is also problem with showing long URLs at all.
See bug 265551 .
Updated•18 years ago
|
Assignee: darin → nobody
QA Contact: benc → networking
Updated•9 years ago
|
Component: Networking → Location Bar
Product: Core → Firefox
Comment 3•9 years ago
|
||
Considering the lock indicators, the control panel and the url hilighting, I'm not sure if this bug deserves to still be around.
If it would have some suggested actions or actionable item, then it may be useful but like this... May we close it?
Flags: needinfo?(dveditz)
Comment 4•9 years ago
|
||
We've introduced many anti-spoofing measures over the years. Probably can do more but we'd need more specific enhancement bugs.
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•