We've known about Homograph attacks since the 1990s -- so you may be wondering why I'm writing about them in 2018. Don't worry, I'll get to that. I...
For further actions, you may consider blocking this person and/or reporting abuse
+1 for the sheer body of research attached to this post :)
Firefox users: you can go to about:config and switch
network.IDN_show_punycode
totrue
.Yep! Unfortunately this always shows punycode for all IDNs not just malicious ones. Wish they'd come up with a solution as a default for just the potentially malicious ones like Chrome did!
Or they could show it like
https://pаypal.com/ (punycode there)
Yes! This is similar to what IE does with IDNs, by showing an informational alert that you're on one as a pop up. (Not sure which IE version does this). Some have suggested color coating non-ASCII text as well. Lots of potential solutions 😊
Interesting. I've never heard of homographs attack before.
I learned quite a bit. Thank you!
Wow, that is all super interesting.
Great post,
also an interesting tidbit with Firefox is that it suggests the real PayPal in the link:As I was writing this I realized you put that icon there. Awesome touch! Definitely fooled me 🙈
If you published this as an npm package (e.g.
sanitizeHomograph(url)
) then all of us could use it to sanitize URLs we display on profile pages.Kickstarter is about to publish the ruby code as a gem! Would be down to do in js as well 😊
sorry this took a while! github.com/kickstarter/ruby-homogr...
When punycode first came out Firefox would only display the unicode version on a whitelisted set of TLDs. The rule, if I recall, was that a registrar must have published a policy on how they avoid the registration of homographs. This meant, for example, that
.de
would be okay since the registrar policy was limited script, but.com
would always show punycode since it was a free-for-all.I kind of think this is registrar problem. The registration of homographs on common script characters should just be rejected.
Great proposal! I think, based on my reading of ICANN's meeting minutes and IDN RFCs, that as an international organization they are worried limiting some scripts that support non-ASCII languages would be an overreach in favor of English speakers and Latin. They are taking time to make sure that whatever decision they make doesn't over-exclude non-latin-language speakers. (And in the meantime hoping the Browsers just do this for them 😉.) Turns out internet governance is just as slow-paced as any other kind of governance.
Woah, this is fascinating! I love that Chrome is actively combating this. Thanks for the well-researched article :D
Last year I had fun with apples safari and mail:
tᴏ.com vs to.com vs tᴑ.com
This ended up in CVE-2017-7106 and CVE-2017-7152
I wrote about this in
blog.to.com/phishing-with-an-apple...
Additionally I built a "live js injection reverse proxy" for demonstration purposes on https://ṫo.com
It's not dirty on your screen, its a special T and it works.
Nice! I love the blog post.
This was super informative! Anyway, what about requiring a human moderator to double check links with punycode in them? Ie show the warning until the moderator has had a chance to look at it and confirm it's not a homograph attack. I don't know how much of a burden that would be, but if there aren't that many punycode URLs, then the amount of work they'd need to do could be very low. And if the cost does turn out to be high, you might be able to use Mechanical Turk.
Thanks, a very interesting article.
Awesome article. One small error - the past tense of "to lead" is "led", not "lead".
Ha! English is hard. I'll change. Thank you for pointing that out!
This is a dang good post.
Super interesting.
10/10 article. Awesome research work!
Wow, great article! Thanks!
Top quality post. Learned a lot reading it. Thanks for writing!
My Mozilla shows me the link behind any clickable text. Your argument is invalid. It shows me the false one. Nice article otherwise.
Sure, it shows it on links, but what about a redirect during a checkout process? If an injected script could change a redirect to paypal to actually go to a homograph'ed domain instead, it would be quite hard to spot.
+1 Great post, well documented and very instructive!
(PS: struggling every day with phishing e-mails using (in a dumb manner) this kind of cheat :P )
Thanks for the post. Very well explained. Would be awesome if people could get their hands on the script you guys had written to do the site matching search!
Amazing post. Great work!