Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> Every time you're about to paste your password, glance at the url bar.

Actually - I disagree with this. You can no longer "glance" at the url bar to determine if you are on the right domain due to Unicode chars if you clicked a link.

The only safe way is to type the url yourself into the browser.

If it is a long link - then at least typing the base domain, and pasting the "rest" is probably safe?



I use 1Password to autofill my passwords, which it won't do if the domain doesn't match, which should also work.


This actually isn't true. A website like https://www.xn--80ak6aa92e.com/ won't show up as apple.com. Browsers don't allow Unicode rendering in the URL bar.

Maybe IE is affected though. I haven't tested every browser. But it's a known security concern.


It shows up as www.apple.com on Firefox 54.0.1 (latest, up-to-date) on OSX.


Just tried - same (54.0.1) FF version on Android DOES show apple.com (Chrome and Yandex do not).


about:config, set network.standard-url.punycode-host to true


Disable IDN and you will be safe from those. If you're not going to use non-ASCII domain names, you won't miss much.


Sorry to tell you, does show up as apple.com in my browser. Chrome 52.0.2743.82-1 on Arch x86_64.


That version of Chrome is over a year old.


The IDN vulnerability was fixed by Google in Chrome 58.

https://arstechnica.co.uk/information-technology/2017/04/chr... https://bugs.chromium.org/p/chromium/issues/detail?id=683314

Why have you got such an old version of Chrome?


Thank you. That gives me a strong reason to update.

To answer your question, (1) it's pretty arduous to install Chrome from the AUR, and (2) I am wary of Google removing useful functionality from Chrome.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: