Posted on 04/18/2017 1:46:27 PM PDT by Swordmaker
Didn't we fix this back in 2005? Apparently not
Click this link (don't fret, nothing malicious). Chances are your browser displays "apple.com" in the address bar. What about this one? Goes to "epic.com," right?
Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.
In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We're told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.
This domain disguising, which tricks people into visiting a site they think is legit but really isn't, is called a "homograph attack" – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address "paypal.com."
So what is this, how does it work, and why does it still exist?
Well, thanks to the origins of the internet in the United States, the global network's addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.
The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.
And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became "Punycode."
The trouble – which was first noted way back in 2001 – is that some letters in other languages like Cyrillic are different but look almost identical. You can get identical-looking versions of "a", "B", "c", "i", "l", "O" and "p," among others.
So by combining the codes for these other letters with non-coded letters you can appear to spell out a word like "apple," therefore tricking people into visiting a different website from the one they think they are visiting.
Needless to say, the organization in charge of overseeing the domain name system, US-based ICANN, took this seriously and put out a warning back in 2005 on what it termed "homograph attacks." The world's DNS overseer stated:
ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs [internationalized domain names] become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.
And so it turned to its community of internet engineers and policy makers and opened a formal comment forum to come up with "countermeasures" and "improve public protection from abusive use of domain names."
That was 12 years ago. What's happened since?
Not much, it seems. The comment forum that ICANN opened received just three comments and was archived in 2006. Statements put out by internet organizations including CENTR and APTLD have long since been lost thanks to broken hyperlinks.
The internet community appears to have just wished the problem away. Unfortunately, it was still there. So five years later, in 2010, and then again in 2011, it reappeared.
This time spammers had started using the technique to get people to click on their links by providing what looked like legitimate domain names. The one that caught everyone's attention was a Cyrillic version of "paypal.com" that was really "raural.com," but looked the same.
The problem had grown because of ICANN's own expansion of the IDN space. The organization was under significant pressure from governments around the world who were very unhappy with the speed of progress at the US-based and American-dominated organization in adding their languages to the internet's infrastructure.
For its own self-preservation, ICANN approved a "fast track" of new IDNs, but the issue of homograph attacks appears to have been left untouched. ICANN is in a position to develop new policies that would then likely be adopted by other organizations that make up the internet eco-system – but it appears to have chosen not to bother.
Browser manufacturers have been similarly lazy:
However, even though some browsers responded back in 2010 by turning off IDNs as a default, it appears that at some point a browser update has set the default back to on.
In terms of actual policy changes, the last activity we saw was a group working on "universal acceptance" at a domain name conference back in 2015 that would enable all internationalized domains to work across the internet.
That group was being given informal support from ICANN, as well as Google, but has made limited progress thanks to a lack of resources. Part of that group's work was to figure out how to minimize the impact of phishing through IDNs.
As to what you can do to mitigate being tricked by their coding issue: the best solution, unfortunately, is to simply turn off support for IDNs in your browser.
ICANN's webpage on the topic hasn't been updated since September 2015. We prodded ICANN for any information on current efforts to tackle homograph attacks. A spokesperson told The Reg:
ICANN is as concerned as ever about malicious use of the DNS via phishing. We have not changed our rules for what contracted TLDs are allowed to delegate in their zones. The recently described attacks are no different than the ones ICANN has been looking at since the addition of IDNs in 2003.
In the meantime, ICANN is coming toward the end of another lengthy policy process that would allow or block the use of country codes – like "us" for the United States or "de" for Germany – in the hundreds of new top-level domains that ICANN has approved in the past few years. These have contributed hundreds of millions of dollars to the small Los Angeles-based organization.
It should be noted however that the policy only covers ASCII text – ie, the English keyboard. Fifteen years on from the first warning of homograph attacks using non-English characters, it seems that some priorities never change. ®
Pinging dayglored and ThunderSleeps for their respective ping lists for security alert.
The latest Apple/Mac/iOS Pings can be found by searching Keyword "ApplePingList" on FreeRepublic's Search.
If you want on or off the Mac Ping List, Freepmail me
LOL!
As you can see from MacDailyNews Take on this problem:
Ⅼеτ’ѕ Ье ϲагеғυⅼ оυτ τһеге. ⋃ѕе а геаⅼ Ьгоѡѕег!
Homograph - a mid-20th Century device that was used to play Liberace records.
Well I’m using Windows 10, and they both display correctly, when I held my mouse over each.
That is to say, as a bunch of nonsense.
Just saying.
Give a guy some warning. . . and save a computer screen from being sprayed by soda. ROTFLMAO!
Typical stupidity. Warned in 2005. I remember the warning. Nothing done. And these people are going to program devices that can injure people??
The question is "What browser are you using? Edge, or Internet Explorer?"
What do the links say when you don't hold your mouse over them? What does the address bar say if you click on them when you get to their websites? Do you get any warning before you get there?
The problem seems to be with many alternative browsers, not with mainstream browsers.
Internet Explorer.
I won’t click on them, but seems to work correctly for me.
Yeah, but if I hover over both, I can see right away there are problems. IE 10 shows me what the actual name is on a bar at the bottom left of the browser, and the first link actually shows nothing, the second shows the real name of the link as noted in the article. I’ve known to look at what the bar shows me at the bottom of the page for longer than I can remember.
Never mind. I see that Chrome and Firefox are the issue, not IE. Meh.
I downloaded a combined update last week and it warned me it wasn’t signed when I opened it. Go on line to a mac o’phile site and went to Apple link from there downloaded another copy no problem. The other site looked like Apple but..........
I’m trying this Chrome extension. “Real Domain Name”
https://chrome.google.com/webstore/detail/real-domain-name/lhbkkikjboiebjeghokpefafaahnfoff?hl=en-US
I just tried this on Chrome 56 in Windows, and it’s not immune. However the “Real Domain Name” extension did its job.
The “community” is unable to solve the most basic problems, like spam.
It's good to know that if you know to install that extension you could be protected if you were using Chrome V.56. I wonder how many users are using it? Does it also intercept you going to the site and warn you, before arriving there, or do you have to pro-actively look at the URL address bar and actually notice you aren't where you are supposed to be?
Still, the problem here is that there are Russian Cyrilic alphabet characters that look almost exactly like the English alphabet characters and would be very difficult to distinguish using your "Real Domain Name" extension. For example the Russian "R" looks exactly like an English "P" while a Russian Cyrillic lower case "g" looks very much like the English lower case "r" and a Russian "S" is a "C". These letters can be exchanged in a Domain name and you could be none the wiser, unless you looked very, very closely, if they had constructed their Domain name very carefully to mimic the correct one.
As the MacDailyNews take put it using all Cyrillic characters: Ⅼеτ’ѕ Ье ϲагеғυⅼ оυτ τһеге. ⋃ѕе а геаⅼ Ьгоѡѕег!
The article specifically states that Internet Explorer is one that is immune to the problem, unlike other browsers from third parties. They did not state whether Microsoft Edge inherited IE's immunity.
See my comment a couple of posts above vis-a-vis the problem being substituting Russian Cyrillic characters for almost identical English characters that are very difficult to distinguish from each other even if you are using something that shows you the real Domain name.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.