Updated Firefox SpoofStick Extension to Display Homograph Spoofs

I’ve modified the *excellent* SpoofStick extension for Firefox to now find and label any homographs detected in the current URL. This should hopefully be a help until the Mozilla folks fix IDN support.

Install Updated SpoofStick extension

Test the extension by visting the Shmoo IDN exploit page and click on the fake Paypal links.

I plan on forwarding my code changes to the SpoofStick developers – they’re free to use my code as they see fit.

Update: I’ve been Boing Boing‘d! (hi, everyone)

Update: note that the extension’s appearance has not changed from the original version. Please direct any requests for look and feel changes to the original developers.

Update: Yes, I know it’s very “English-centric”.

Big update: The official version of SpoofStick now supports IDN checks. I recommend that everyone uninstall my hack and install the official version.

About Kevin

Kevin Jarnot is a technologist who lives just South of Boston, MA. He is currently employed as Chief Technology Officer at DebtX, a financial services technology company based in Boston.
This entry was posted in Geek. Bookmark the permalink.

26 Responses to Updated Firefox SpoofStick Extension to Display Homograph Spoofs

  1. Craig says:

    This is great, thanks. Would it be possible to let the user determine where this shows up in the ui though? I would love it if it were possible to place this on my bookmarks toolbar. Or somewhere else where I’ve got spare space.
    BTW: you’re comments system is hosed.

  2. Bjorn says:

    Nice work but bad looking.
    Takes up a whole bar, the small typeface is about 2.5 times the size of the fonts I use in the menu bar etc, so it’s very intrusive and I won’t keep it switched on.
    How about an option to just have a popup when a homograph is detected?

  3. Rijk says:

    So, I visit the Swedish Red Cross and it’s a dangerous site suddenly?

    http://www.rödakorset.se/

    Not every IDN domain name is evil, as some people believe…

  4. Anonymous says:

    I agree, it’s definitely too large and it would be nice to be able to choose where it goes… how can I make it disappear?

  5. Andrea says:

    It’s not pretty… and even the “small” font-size is big for me :/
    Still, does what it says 😛

  6. Brandon says:

    how ungrateful. someone tries to do a good thing and help out folks he doesn’t even know (worldwide) and folks bitch about appearance of the app. if its that big a deal, then either ditch it or do it yourself.
    Thank you Kevin for taking the time to help everyone out.

  7. Kevin says:

    Thanks, Brandon! Yeah, it’s too bad that most people seem to be in the “glass half empty” category…

  8. Anonymous says:

    Bjorn – No, the Swedish red cross is not suddenly evil, but if you were not expecting IDN characters, then it would be nice to have it flagged.

    The Spoofstick code is obviously taking a shortcut: solutions whipped up in 24 hours aren’t likely to satisfy everyone. The problem is an extremely difficult one to solve perfectly.

    In a general way, how should spoofstick highlight potential problems from IDN? Is there a map somewhere of homologous character glyphs for all languages covered by the IDN? If there were, spoofstick or a similar tool could notice that the also-registered http://www.rodakorset.se/ points to the same address and choose not to highlight as a problem.

  9. Kevin says:

    The SpoofStick code is actually very simple – it just displays the FQHN, domain, IP address or local filesystem info for the current URL. My tweek simply checked each character in the output and if the char value was > 127 it would prepend a warning and place parentheses around the “offending” character.

    I’m sure the code could be modified to perform all sorts of validations and DNS lookups, but I think that goes well beyond the scope and intent of the original design, which was to provide a simple means to thwart phishing spoofs. See http://www.corestreet.com/spoofstick/ for the original version.

  10. Brandon says:

    Kevin,
    If you open up the js file in the spoofstick.jar, instead or returning the string you can simply set the window status text to the return value. btw, closing the toolbar has no effect on the script running either (as far as i can tell). i closed the toolbar but the windows status is still showing up for me.

    function labelHomographs(str) {
    var retStr;
    var warnStr;

    retStr = warnStr = “”;

    for (var i = 0; i 127) {
    retStr += ‘(‘ + str.charAt(i) + ‘)’;
    warnStr = “WARNING: Homograph detected! “;

    } else {
    retStr += str[i];
    }
    if (warnStr.length > 0)
    window.status = warnStr+retStr;
    }
    }

    i am noticing an issue with opening in new tabs but that should be an easy fix as well.

  11. Kevin says:

    Brandon: Yeah, that may be a better approach – definitely easier on the eyes. 🙂

    One downfall might be that the spoofing site could quickly overwrite the status text to hide the fact that homographs are in the URL.

  12. Pingback: X-Blog

  13. Ron says:

    Great work. A nice feature would be an “automatic visible” option. If the bar is hidden and IDN characters are detected, it switches to visible mode.

  14. Pingback: Overfloater

  15. Michael says:

    Great Spoofstick extension update. Thank -> you !
    Whola shakin’ goin’ on around this IDN problem, no workaround is really satisfactory. Your work in my opinion is the best alternative until Mozilla engine gets updated.

  16. Anonymous says:

    Thanks for your work on this, Kevin.

    Just thought I’d let you know that a new official version of SpoofStick that addresses the IDN vulnerability has been released.

    Additionally, the SpoofStick widget is now a draggable/resizable toolbar item, so it no longer needs to take up an entire toolbar (unless you want it to).

    You can get it here:
    http://www.corestreet.com/spoofstick/

  17. Pingback: mactobias

  18. Kevin says:

    Excellent! My hack is now formally retired after 2 useful days of service. 🙂

  19. jack says:

    great work on the update kevin

    is there a way to edit the display text size in a certain file to make it smaller apart from the default settings as i only have a 14inch screen and usually use spoofstick in the same bar as File,Edit.

    a layman’s explanation would be appreciated or if there is already a way of changing this i would be most appreciative.

    jack

  20. Kevin says:

    Jack – from what I can tell there’s no easy way to change the font.

  21. Pingback: X-Blog

  22. Dewayne says:

    will they update this for the new FireFox? This current version does not work with FF 1.5.

  23. Kevin says:

    Dewayne – I’m not sure. It looks like they haven’t updated it since February 2005.

    Go to http://www.spoofstick.com for more details.

  24. Roy Thompson says:

    Your add ons mite be great, but when you have more steps that a couple clicks. Such as extensions that do not work and are too hard to comperhend. Well don’t you realize that MOST people over 40 has no idea of what to do. If you care, then KISS, or NOT!!
    Thanks, Coberman

  25. internet explorer says:

    Thanks for the great job. One suggestion, however, if it isn’t out of order to do so when you have voluntarily stepped into the breach to alleviate the deficiency in Spoofstick. Next time please make at least some little change in the filename of the hacked product from the original so we dumb users out here can tell the two apart, such as when it’s time to uninstall one.

  26. Idetrorce says:

    very interesting, but I don’t agree with you
    Idetrorce

Leave a Reply