Quiet is vulnerable to IDN Homograph Attacks

[m0nad]

I was testing Quiet and I found that is vulnerable to IDN Homograph Attacks (https://en.wikipedia.org/wiki/IDN_homograph_attack)

Description

When receiving a message, Quiet renders a homographic link in a clickable format, the font makes it almost impossible to tell the difference (check attachment). This is a vulnerability that was also fixed on Signal (CVE-2019-9970).

Reproduction

In this example I used: https://tryquiet.org/ https://tryqᴜiet.org/

Recommendation

Make the URL non-clickable, or shows like Punycode (https://en.wikipedia.org/wiki/Punycode) like the majority of the browsers do, or at least shows some warning.

Other references

https://www.blazeinfosec.com/post/cve-2019-9970-signal-idn-homograph-attack/

[holmesworcester]

Thank you!

[Simon-Laux]

There is always the question whether it is really the responsible of the messenger or rather the responsibility of the browser or the user itself for not paying enough attention.

Anyways I introduced a warning in delta chat-desktop about that warns for puny code, though:

• I haven't managed to convince the mobile teams of adding it yet
• the logic I use (url !== puny_code_encode(url)) has the disadvantage of also flagging perfectly legit domains for different alphabets as puny code, which is inconvenient for people using those urls to get warned about them regardless, so could be seen as discrimination against other languages. I have made an issue with a solution idea https://github.com/deltachat/message-parser/issues/61.

Maybe we (deltachat + quiet) could collaborate if quiet also wants to use our message-parser which does not only do link parsing and puny code detection, but also parsing of more elements (email addresses, clickable hashtags, @mentions are also planned, [labeled](links)) and even has experimental support for a markdown subset. It is not based on regular expressions but instead coded in rust with the nom library and compiled to wasm, we plan to also use it for deltachat mobile (android/iOS) in the future.

[holmesworcester]

Thanks for letting us know about this work! It does seem like a useful place for collaboration. It might be some time but we'll consider this.