IDN URL is mangled in Login on 1Password.com in Firefox

krilbe

When editing the URLs for one of my items, I noticed that our IDN domain företagskontakt.se displays incorrectly on the item page. It seems to work when using the item to log in, so it's probably just cosmetic.

---

1Password Version: Not Provided
Extension Version: 1.10.3
OS Version: Windows 10 Pro 64 bit Swedish
Sync Type: Not Provided
Referrer: forum-search:IDN

AGAlumB

@krilbe: Yeah I've noticed that and brought it up before. And honestly I can't decide if it's a bug or a security feature. :tongue: I kid. But not really. There have been serious exploits involving IDNs spoofing well-known websites by looking close enough to fool the user. I recall that Safari was displaying IDNs like your screenshot not long ago too. I'm not sure when that changed. Fortunately 1Password can't fall prey to those kinds of attacks since it only fills when the URL in the browser matches what you have saved in your login. But I agree this is also a bit confusing, and the longer version just doesn't look great. We'll have to discuss it more. Thank you for bringing it up! :)

krilbe

Ermmm... What shows up is not a "longer version". It's just plain wrong. It should display as either "företagskontakt.se" or "xn--fretagskontakt-vpb.se". Or am I missing something?

AGAlumB

@krilbe: Oh! You're absolutely right. I saw xn--fretagskontakt-vpb.se in blue and since that's the domain I was expecting to see my brain just blocked out the grey part. Thank you! :lol:

The thing is...I'm not seeing that when I create a login for https://www.företagskontakt.se. Is there a login page URL you can direct me to? I'm guessing you used the 1Password browser extension to save your login, and maybe it's doing something weird. Thanks in advance!

krilbe

I had a pre-existing 1Password entry for mise.se (another of our domains). This entry was imported from LastPass. I opened that entry and manually entered additional URL:s. This particular URL I entered as "https://företagskontakt.se". This was done in the web interface - can't seem to find any edit ability in the extension. And, it was in Firefox on Windows 10.

1Password finds the entry as a match when I am at the URL in question.

did that answer your question? If not, please clarify.

AGAlumB

I had a pre-existing 1Password entry for mise.se (another of our domains). This entry was imported from LastPass. I opened that entry and manually entered additional URL:s. This particular URL I entered as "https://företagskontakt.se". This was done in the web interface - can't seem to find any edit ability in the extension. And, it was in Firefox on Windows 10.

@krilbe: Ah, so you're using 1Password X in Firefox? You imported the login in 1Password as is, or you edited it through the website? I'm trying to see if I can reproduce the same thing to determine if and where something needs to be changed.

Do you see the same thing if you create a new item like that?

1Password finds the entry as a match when I am at the URL in question. did that answer your question? If not, please clarify.

Yes! Thank you. Sorry I have more questions still, but I'm sure we'll be able to narrow it down. :)

krilbe

Yes, 1Password X in Firefox. Sorry if I was unclear. The 1Password ecosystem is still new to me. :) But the edit GUI is web based and not part of the extension, isn't it?

The entry was imported from LastPass along with all my other LastPass entries, using your import tool, via LastPass' CSV export. I didn't change it in any way in 1Password until I started adding these extra URL:s, as described above. I did add + save in a few repetitions, trying out how 1Password does the matching. (Wildcards? Full URL or just the domain? Etc.) I may have brought up the edit page from the web interface to begin with, but later from the extension's Edit button. Not sure which path I took when adding företagskontakt.se. Probably from the web interface.

Will try adding a new entry. May not have time to complete it right now, but will write back when done.

AGAlumB

Yes, 1Password X in Firefox. Sorry if I was unclear. The 1Password ecosystem is still new to me. :) But the edit GUI is web based and not part of the extension, isn't it?

@krilbe: Correctly on all counts. Sorry for the confusion there. I was just trying to make sure my understanding is correct so I'm not overlooking something. Thank you! :)

The entry was imported from LastPass along with all my other LastPass entries, using your import tool, via LastPass' CSV export. I didn't change it in any way in 1Password until I started adding these extra URL:s, as described above. I did add + save in a few repetitions, trying out how 1Password does the matching. (Wildcards? Full URL or just the domain? Etc.) I may have brought up the edit page from the web interface to begin with, but later from the extension's Edit button. Not sure which path I took when adding företagskontakt.se. Probably from the web interface.

Gotcha. Just wanted to verify you hadn't added that URL in the 1Password.com web interface yourself. That hasn't worked for me. Do you happen to have the original exported data? I wonder if the URL is encoded like that there in the CSV? I'm not able to reproduce this yet, so I think that might be the key.

Will try adding a new entry. May not have time to complete it right now, but will write back when done.

Absolutely. Thank you for working with me on this! :)

krilbe

I tried reproducing the issue now. I have Firefox and 1Password X browser extension. Log in to the extension. Bring it up and press Edit on any 1Password entry in my vault. The edit page is displayed, i.e.
https://myorg.1password.com/vaults/xxx/allitems/yyy

On the edit page I type "https://företagskontakt.se" into the second (blank) website textbox, and then press "Save". The new website is now displayed as (from HTML view of the DOM): "<span>https://företagskontakt.s<span class="domain">xn--fretagskontakt-vpb.se</span>se</span>".

Happens every time for me. Maybe you need to test it in Firefox specifically?

AGAlumB

@krilbe: You nailed it. Thank you! Indeed, I was able to reproduce this in the 1Password.com web interface in Firefox 62. I'm not sure why the URL is getting mangled only in Firefox, but we'll see if we can narrow dow the cause. It seems to be concatenating the URL and its encoded(?) version. However, the website opens correctly.

I almost think the bug may be in Firefox itself though since going to https://företagskontakt.se/ directly also takes me to https://xn--fretagskontakt-vpb.se/ — again, only in Firefox. Thanks for bringing this to our attention! :)

ref: b5/b5#4995

krilbe

Well, as far as I know, it's always the punycoded domain (xn--fretagskontakt-vpb.se) that's actually used and the cleartext version (företagskontakt.se) is only for presentation purposes. So, when you type "företagskontakt.se" into the browser's address bar, it will actually DNS lookup "xn--fretagskontakt-vpb.se", while still showing "företagskontakt.se" to the user.

I would assume that any domain handling app should do the same - any domain that doesn't conform to the domain name specification (i.e. contains åäöéÿ...) should be punycoded and stored in that form. But maybe there's something here that I got backwards or sideways or whatever... :p And maybe there are potential spoofing problems...

AGAlumB

Punycode! Thank you! I could not for the life of me remember the correct term. :lol:

I believe you're correct, but something's definitely a bit off. We'll see if we can determine that with some certainty.

krilbe

8-) :) ;)
Good luck!

AGAlumB

Haha thank you! :crazy: :+1: