Firefox: Prevent Unicode Phishing Attacks

IMPORTANT

This is concerning an extremely troubling phishing attack vector for the Firefox browser (Also impacts Chrome), which could leave you wide open to handing over login details to virtually any site, yes even those sites with the little green padlock (Which is supposed to be a sign of security).

The attack works by taking advantage of the unicode feature to display a false web address in tbe address bar, complete with working SSL certification. I won’t go in to further detail here, however you can read about it from the Wordfence Blog Entry, complete with an in-depth explanation.

The fix, for Firefox, is to set the variable network.IDN_show_punycode in Firefox about:config to True – setting this will reveal the real web address, instead of the phishing version for any domain.

The moral of this is not to hide the address bar and other bits of the browser which are slightly technical – this is a problem with technology which is wider than this specific example – programmers hide things, supposedly to make the experience more user-friendly – well, the world isn’t user friendly, and users should damn-well learn to deal with it!