Homographs, Attack!

Logan McDonald on February 16, 2018

We've known about Homograph attacks since the 1990s -- so you may be wondering why I'm writing about them in 2018. Don't worry, I'll get to that.... [Read Full]
markdown guide
 

+1 for the sheer body of research attached to this post :)

 

Firefox users: you can go to about:config and switch network.IDN_show_punycode to true.

pic

 

Yep! Unfortunately this always shows punycode for all IDNs not just malicious ones. Wish they'd come up with a solution as a default for just the potentially malicious ones like Chrome did!

 

Or they could show it like https://pаypal.com/ (punycode there)

Yes! This is similar to what IE does with IDNs, by showing an informational alert that you're on one as a pop up. (Not sure which IE version does this). Some have suggested color coating non-ASCII text as well. Lots of potential solutions 😊

 

Interesting. I've never heard of homographs attack before.

 
 
 

Great post, also an interesting tidbit with Firefox is that it suggests the real PayPal in the link:

Firefox PayPal suggestion in URL

As I was writing this I realized you put that icon there. Awesome touch! Definitely fooled me 🙈

 

Implement our own display algorithms. This is what we ended up doing at Kickstarter. We used Google's open-source algorithm and show a warning if it's possible that the url shown on the page is a homograph for another url.

If you published this as an npm package (e.g. sanitizeHomograph(url)) then all of us could use it to sanitize URLs we display on profile pages.

 

Kickstarter is about to publish the ruby code as a gem! Would be down to do in js as well 😊

 
 

When punycode first came out Firefox would only display the unicode version on a whitelisted set of TLDs. The rule, if I recall, was that a registrar must have published a policy on how they avoid the registration of homographs. This meant, for example, that .de would be okay since the registrar policy was limited script, but .com would always show punycode since it was a free-for-all.

I kind of think this is registrar problem. The registration of homographs on common script characters should just be rejected.

 

Great proposal! I think, based on my reading of ICANN's meeting minutes and IDN RFCs, that as an international organization they are worried limiting some scripts that support non-ASCII languages would be an overreach in favor of English speakers and Latin. They are taking time to make sure that whatever decision they make doesn't over-exclude non-latin-language speakers. (And in the meantime hoping the Browsers just do this for them 😉.) Turns out internet governance is just as slow-paced as any other kind of governance.

 
 

Awesome article. One small error - the past tense of "to lead" is "led", not "lead".

 

Ha! English is hard. I'll change. Thank you for pointing that out!

 
 

Last year I had fun with apples safari and mail:
tᴏ.com vs to.com vs tᴑ.com

This ended up in CVE-2017-7106 and CVE-2017-7152

I wrote about this in
blog.to.com/phishing-with-an-apple...

Additionally I built a "live js injection reverse proxy" for demonstration purposes on https://ṫo.com

It's not dirty on your screen, its a special T and it works.

 
 

This was super informative! Anyway, what about requiring a human moderator to double check links with punycode in them? Ie show the warning until the moderator has had a chance to look at it and confirm it's not a homograph attack. I don't know how much of a burden that would be, but if there aren't that many punycode URLs, then the amount of work they'd need to do could be very low. And if the cost does turn out to be high, you might be able to use Mechanical Turk.

 

Woah, this is fascinating! I love that Chrome is actively combating this. Thanks for the well-researched article :D

 
 
 

Thanks for the post. Very well explained. Would be awesome if people could get their hands on the script you guys had written to do the site matching search!

 

+1 Great post, well documented and very instructive!
(PS: struggling every day with phishing e-mails using (in a dumb manner) this kind of cheat :P )

 

Top quality post. Learned a lot reading it. Thanks for writing!

 
 

My Mozilla shows me the link behind any clickable text. Your argument is invalid. It shows me the false one. Nice article otherwise.

 

Sure, it shows it on links, but what about a redirect during a checkout process? If an injected script could change a redirect to paypal to actually go to a homograph'ed domain instead, it would be quite hard to spot.

code of conduct - report abuse