Homograph attacks (heads up)

esuhl

I just thought I'd mention this, in case any other techies aren't aware. Apparently it's an old problem, but it's the first I'd heard about it.

Look at these two URLs. They are NOT the same!

https://аррӏе.com/
https://apple.com/

The first is a safe link (linking to a blog about the issue)... but it's not the same as the second link to Apple's website.

Apparently letters from non-Latin alphabets that look similar to Latin letters can be substituted in the URL, allowing scammers to register valid-looking domain names.

So, even if you check links to see the address they actually point to (e.g. in the status bar message), and confirm the URL in the browser's address bar, you could still end up on a malicious site.

Maybe this is common knowledge, but I was surprised that I hadn't heard of this before.

https://www.theregister.co.uk/2017/04/18/homograph_attack_again/

MothballsWallet

esuhl wrote: »

I just thought I'd mention this, in case any other techies aren't aware. Apparently it's an old problem, but it's the first I'd heard about it.

Look at these two URLs. They are NOT the same!

https://аррӏе.com/
https://apple.com/

The first is a safe link (linking to a blog about the issue)... but it's not the same as the second link to Apple's website.

Apparently letters from non-Latin alphabets that look similar to Latin letters can be substituted in the URL, allowing scammers to register valid-looking domain names.

So, even if you check links to see the address they actually point to (e.g. in the status bar message), and confirm the URL in the browser's address bar, you could still end up on a malicious site.

Maybe this is common knowledge, but I was surprised that I hadn't heard of this before.

https://www.theregister.co.uk/2017/04/18/homograph_attack_again/

This can happen with alphabets like Russian, where the following Latin letters are different thanks to the Greek influence on the Cyrillic alphabet: B = v, H = n, C = s, P = r, X = kh.

buglawton

This was first reported in the Register several years ago. It's one reason to use auto password filling instead of manual, as browser-remembered links will always match what was first saved (assuming that was the real link...).

But I thought that that issue some years ago had been 'fixed' somehow by the browser app makers...

buglawton

PS in the comments after the Reg article, a fix for Firefox is detailed:
in about:config, set network.IDN_show_punycode to True

This worked for me when I retested the above fake 'Apple' link.

esuhl

buglawton wrote: »

PS in the comments after the Reg article, a fix for Firefox is detailed:
in about:config, set network.IDN_show_punycode to True

This worked for me when I retested the above fake 'Apple' link.

Oh yeah -- thanks.

I'm surprised that this isn't enabled by default.

were

buglawton wrote: »

PS in the comments after the Reg article, a fix for Firefox is detailed:
in about:config, set network.IDN_show_punycode to True

Did not work for me in either Waterfox 52.0.2 x64, or firefox 53.0 x32. closed them down, rechecked the value, but they still were both apple.com

Rebooted too and it still did not help

esuhl

were wrote: »

Did not work for me in either Waterfox 52.0.2 x64, or firefox 53.0 x32. closed them down, rechecked the value, but they still were both apple.com

Rebooted too and it still did not help

Weird. It works for me on Win7 Firefox 53.0 (64-bit).

BTW, the links themselves won't change; it'll just be what you see in the status bar when you hover on the link.

were

esuhl wrote: »

BTW, the links themselves won't change; it'll just be what you see in the status bar when you hover on the link.

Ahhh, that were you got me, yup works!

Thanks