|resources:||Home Mailing List Members|
VerifyURL is a simple extension which shows the true host of a webpage. It was designed to help expose phishing scams, where a user is taken to a scammer's site which looks like a real site. The user is then tricked into providing their account details to the scammer.
The extension makes the feature available when your bookmarks aren't handy. http://www.nd.edu/~jsmith30/xul/test/spoof.html is an example where the whole Firefox UI is spoofed. In this case, your bookmarklet wouldn't be readily available. With VerifyURL, it's still available on the context menu.
Version 0.4 decodes International Domain Names. This is not a bug, but an issue with the IDN system itself. Special codes can be used to make international characters in URLs. However, these codes can also be used to generate characters that look exactly the same as those in other domain names. http://secunia.com/multiple_browsers_idn_spoofing_test/ contains an example of a spoofed IDN. Here is a picture of what the alert box shows on the Paypal spoofing IDN in Secunia's example.
If you would like a more automated system, SpoofStick allows you to automatically show every URL's hostname on a toolbar. This can be handy for less savvy users, who wouldn't realize when they should use VerifyURL. Some phishing sites are very realistic, so even experienced users can be fooled by them. VerifyURL and SpoofStick both simplify the displayed URL, making it easier to spot a scam.