Anti-Phishing #4233
flatcap
started this conversation in
Development
Anti-Phishing
#4233
Replies: 1 comment
-
That's a very nice idea! |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Overview
Internationalized Domain Names (IDN) allow people to register internet domains that are non-ASCII.
e.g.
Behind the scenes, these domains are encoded in ASCII using PunyCode.
café.fr
->xn--caf-dma.fr
übercool.de
->xn--bercool-m2a.de
φρουτακια.com
->xn--mxaaxdxlwhg.com
💩.la
->xn--ls8h.la
Here's an online converter: https://www.punycoder.com/
NeoMutt supports IDN by default.
Problem
Using IDN means that the addresses displayed in your email, or your browser, might not use ASCII characters.
This can lead to visual ambiguity.
Can you spot the difference between:
info@apple.com
-- plain ASCIIinfo@аррӏе.com
-- lower case Cyrillic (xn--info@-8ve9a1fa44l.com
)In many fonts, there wouldn't be any difference.
Registering the Cyrillic domain would allow you to send emails that look like they're from Apple.
Sample Email: https://github.com/neomutt/sample-mail/blob/main/phishing.mbox
Solution
There's a simple solution.
Display the PunyCode after any non-ASCII addresses.
An alternative, might be to paint a flag by non-ASCII addresses.
We'd need to give the user a toggle function to enable/disable display of the PunyCode.
There are quite a lot of places where NeoMutt displays addresses.
Format Strings
$alias_format
%r
ED_ALI_ADDRESS
$autocrypt_acct_format
%a
ED_AUT_ADDRESS
$index_format
%a
ED_ENV_FROM
$index_format
%A
ED_ENV_REPLY_TO
$index_format
%B
ED_ENV_LIST_ADDRESS
$index_format
%f
ED_ENV_FROM_FULL
$index_format
%F
ED_ENV_SENDER
$index_format
%Fp
ED_ENV_SENDER_PLAIN
$index_format
%K
ED_ENV_LIST_EMPTY
$index_format
%L
ED_EMA_FROM_LIST
$index_format
%R
ED_ENV_CC_ALL
$index_format
%r
ED_ENV_TO_ALL
$index_format
%t
ED_ENV_TO
$mix_entry_format
%a
ED_MIX_ADDRESS
$query_format
%a
ED_ALI_ADDRESS
Plus all the other format strings that reuse
$index_format
s machinery:$attribution_locale
,$attribution_locale
,$forward_attribution_trailer
,$forward_format
,$indent_string
,$message_format
,$pager_format
.Functions
<display-address>
(@)There may be others
Compose
Compose's Envelope displays:
To:
,Cc:
,Bcc:
,Reply-to:
Do we want to alter the appearance in the user's editor?
(i.e.
set edit_headers = yes
means PunyCode too)This would mean we'd have to parse it back, after editing.
Pager
The Pager displays the headers of the Email.
Usually, they're "weeded" down to a few important ones.
e.g.
unignore from: subject to cc date x-mailer x-url user-agent
We should probably add PunyCode to these.
When weeding is turned off, the headers are displayed raw (except for wrapping).
Should we insert PunyCode?
Practicalities
Most domains are plain ASCII, so we may want to enable this feature by default.
However, some users will use IDN and we need some way to reduce the clutter for them.
Add a config option to disable the feature
Add extra Expandos for "plain" addresses
e.g.
%t
and%tp
Add a "safe" list for known domains
e.g.
idn_safe café.fr
,idn_safe '\.gr$'
Beta Was this translation helpful? Give feedback.
All reactions