DEV Community

Homographs, Attack!

Logan McDonald on February 16, 2018

We've known about Homograph attacks since the 1990s -- so you may be wondering why I'm writing about them in 2018. Don't worry, I'll get to that. I...
Collapse
 
rpalo profile image
Ryan Palo

+1 for the sheer body of research attached to this post :)

Collapse
 
defman profile image
Sergey Kislyakov

Firefox users: you can go to about:config and switch network.IDN_show_punycode to true.

pic

Collapse
 
logan profile image
Logan McDonald

Yep! Unfortunately this always shows punycode for all IDNs not just malicious ones. Wish they'd come up with a solution as a default for just the potentially malicious ones like Chrome did!

Collapse
 
defman profile image
Sergey Kislyakov

Or they could show it like https://pаypal.com/ (punycode there)

Thread Thread
 
logan profile image
Logan McDonald

Yes! This is similar to what IE does with IDNs, by showing an informational alert that you're on one as a pop up. (Not sure which IE version does this). Some have suggested color coating non-ASCII text as well. Lots of potential solutions 😊

Collapse
 
gabrielmb_tech profile image
Gabriel Manoel • Edited

Interesting. I've never heard of homographs attack before.

Collapse
 
kspeakman profile image
Kasey Speakman

I learned quite a bit. Thank you!

Collapse
 
jess profile image
Jess Lee

Wow, that is all super interesting.

Collapse
 
andy profile image
Andy Zhao (he/him) • Edited

Great post, also an interesting tidbit with Firefox is that it suggests the real PayPal in the link:

Firefox PayPal suggestion in URL

As I was writing this I realized you put that icon there. Awesome touch! Definitely fooled me 🙈

Collapse
 
billiegoose profile image
Billie Hilton • Edited

Implement our own display algorithms. This is what we ended up doing at Kickstarter. We used Google's open-source algorithm and show a warning if it's possible that the url shown on the page is a homograph for another url.

If you published this as an npm package (e.g. sanitizeHomograph(url)) then all of us could use it to sanitize URLs we display on profile pages.

Collapse
 
logan profile image
Logan McDonald

Kickstarter is about to publish the ruby code as a gem! Would be down to do in js as well 😊

Collapse
 
logan profile image
Logan McDonald

sorry this took a while! github.com/kickstarter/ruby-homogr...

Collapse
 
mortoray profile image
edA‑qa mort‑ora‑y

When punycode first came out Firefox would only display the unicode version on a whitelisted set of TLDs. The rule, if I recall, was that a registrar must have published a policy on how they avoid the registration of homographs. This meant, for example, that .de would be okay since the registrar policy was limited script, but .com would always show punycode since it was a free-for-all.

I kind of think this is registrar problem. The registration of homographs on common script characters should just be rejected.

Collapse
 
logan profile image
Logan McDonald

Great proposal! I think, based on my reading of ICANN's meeting minutes and IDN RFCs, that as an international organization they are worried limiting some scripts that support non-ASCII languages would be an overreach in favor of English speakers and Latin. They are taking time to make sure that whatever decision they make doesn't over-exclude non-latin-language speakers. (And in the meantime hoping the Browsers just do this for them 😉.) Turns out internet governance is just as slow-paced as any other kind of governance.

Collapse
 
annarankin profile image
Anna Rankin

Woah, this is fascinating! I love that Chrome is actively combating this. Thanks for the well-researched article :D

Collapse
 
opaukstadt profile image
Oliver Paukstadt

Last year I had fun with apples safari and mail:
tᴏ.com vs to.com vs tᴑ.com

This ended up in CVE-2017-7106 and CVE-2017-7152

I wrote about this in
blog.to.com/phishing-with-an-apple...

Additionally I built a "live js injection reverse proxy" for demonstration purposes on https://ṫo.com

It's not dirty on your screen, its a special T and it works.

Collapse
 
logan profile image
Logan McDonald

Nice! I love the blog post.

Collapse
 
joshcheek profile image
Josh Cheek

This was super informative! Anyway, what about requiring a human moderator to double check links with punycode in them? Ie show the warning until the moderator has had a chance to look at it and confirm it's not a homograph attack. I don't know how much of a burden that would be, but if there aren't that many punycode URLs, then the amount of work they'd need to do could be very low. And if the cost does turn out to be high, you might be able to use Mechanical Turk.

Collapse
 
jdcifuentes profile image
José Daniel

Thanks, a very interesting article.

Collapse
 
rdreidjr profile image
Robert Reid

Awesome article. One small error - the past tense of "to lead" is "led", not "lead".

Collapse
 
logan profile image
Logan McDonald

Ha! English is hard. I'll change. Thank you for pointing that out!

Collapse
 
jwalzak profile image
Jason Walzak

This is a dang good post.
Super interesting.

Collapse
 
maestromac profile image
Mac Siri

10/10 article. Awesome research work!

Collapse
 
erhankilic profile image
Erhan Kılıç

Wow, great article! Thanks!

Collapse
 
jrop profile image
Jonathan Apodaca

Top quality post. Learned a lot reading it. Thanks for writing!

Collapse
 
sebastianpoccnn profile image
Johnny

My Mozilla shows me the link behind any clickable text. Your argument is invalid. It shows me the false one. Nice article otherwise.

Collapse
 
cybolic profile image
Christian Dannie Storgaard

Sure, it shows it on links, but what about a redirect during a checkout process? If an injected script could change a redirect to paypal to actually go to a homograph'ed domain instead, it would be quite hard to spot.

Collapse
 
adanteny profile image
Alain Danteny

+1 Great post, well documented and very instructive!
(PS: struggling every day with phishing e-mails using (in a dumb manner) this kind of cheat :P )

Collapse
 
asutkarpeeyush profile image
Piyush Asutkar

Thanks for the post. Very well explained. Would be awesome if people could get their hands on the script you guys had written to do the site matching search!

Collapse
 
boxoftech profile image
BoxOfTech

Amazing post. Great work!