
You think you can't be phished? - ribasushi
https://hackaday.com/2017/04/19/you-think-you-cant-be-phished/
======
walrus
Firefox: open about:config, set network.IDN_show_punycode to true. Next time
you open the page, the address bar will show [https://www.xn--
80ak6aa92e.com/](https://www.xn--80ak6aa92e.com/) instead of
[https://www.apple.com/](https://www.apple.com/). Better yet, always type in
or bookmark pages where you might enter sensitive information.

I was surprised this was still an issue, as I heard about IDN homograph
attacks years ago.

~~~
noja
Maybe the non-ascii characters could be coloured somehow, like with a
different colour background.

That way we could still show the real characters and not the punycode.

~~~
Operyl
But how would one mass-educate all the non-technical users on this? It'd be a
dirty little inside secret.

------
inetknght
The fact that I have to open developer tools to inspect the cert on Chrome is
_infuriating_.

~~~
problems
I'm reminded of a Torvalds quote from about a decade ago:

> This 'users are idiots, and are confused by functionality' mentality of
> Gnome is a disease. If you think your users are idiots, only idiots will use
> it.

~~~
ajross
For clarity, the feature isn't removed. You open the developer console (it has
like nine keys bound to do this, F12 is the easiest), select the "security"
tab, then hit the "view certificate" button.

I buy that this isn't as easy as the old mechanism (click on the TLS lock icon
next to the URL) but...

~~~
aargh_aargh
What are the other keys? I know about F12, but I have it mapped to something
else. I'm using Gnome.

~~~
ajross
Any of Ctrl-Shift-{c,i,j} will pop up various tabs of the developer tools.
There may be others I'm not aware of.

------
beamatronic
What if you just don't click on any links in email? Particularly if they are
really important sites. Just accomplish the proposed task another way. For
example, if you get an email from Paypal, stating that you need to update a
credit card or something, don't click their link, instead open a browser and
enter "[https://www.paypal.com"](https://www.paypal.com") yourself, and go
into your account information and look for your saved payment methods.

edit: typos

~~~
Adverblessly
I always hover over links before I click them to see where they actually lead
in the status bar. It is less safe than your suggestion (since if I'm not
careful I can fall for "googel.com" or "goog1e.com"), but is still often
useful (even just to avoid going somewhere I'm not interested in going, not
specifically against phishing).

~~~
JoshCole
I think you skipped reading the article.

The article is about punycode. Using it, you can have a site name like
'apple.com' even though really the domain is made up of various unicode
characters.

So even if you were exceedingly careful and you made sure not to fail for
googel.com and goog1e.com, you would still fall for the visually correct
google.com.

------
jdavis703
Which is why I look for the organization's name in the browser bar when I'm
logging in to a high-value website (Google, Apple my bank, etc). For those who
don't know the UI for extended verification certificates see the difference in
the screenshot: [http://imgur.com/a/ycVwA](http://imgur.com/a/ycVwA).

~~~
rb808
This was posted the other day, checking its green isn't enough.

[https://www.xudongz.com/blog/2017/idn-
phishing/](https://www.xudongz.com/blog/2017/idn-phishing/)

Edited: you're right I thought you meant just check its https.

~~~
roywiggins
That is an ordinary DV cert. GP is talking about EV certs, which in theory
assures you that Apple, Inc. specifically owns the domain name you're on, not
just the operator of the server.

------
542458
Amusingly, Facebook seems to block this link from being posted publicly (The
site reports "There was a problem updating your status. Please try again in a
few minutes" \- private messages work fine however).

I wonder what Facebook's heuristic there is, since they don't seem to block
all punycode URLs. Maybe something about character distribution (all latin-
like characters -> probably phishing)?

Edit: Actually, it might not be a block at all. I think it might just be a bug
in Facebook's URL parser, since when pasted into messages the automatic
hyperlink is set to [http://invalid.invalid](http://invalid.invalid).

------
js2
The latest version of Chrome renders the URL in the original punycode, not as
apple.com. The browser vendors all use their own algorithm for deciding when
to render as punycode vs unicode:

[https://www.chromium.org/developers/design-documents/idn-
in-...](https://www.chromium.org/developers/design-documents/idn-in-google-
chrome)

------
artimaeis
This is probably the most effective advertising to update to the newest Chrome
release that I've ever seen.

------
andreyf
If you use a password manager, it most likely won't auto-fill apple.com's
passwords on [https://www.xn--80ak6aa92e.com/](https://www.xn--
80ak6aa92e.com/)

~~~
noooop
(unless its lastpass)

~~~
brainfire
I may just be missing a joke here, but this isn't true.

~~~
andreyf
If you're on a malicious site, LastPass will likely auto-fill all your
passwords into the site. And also give them to the hackers who have root on
all their cloud servers.

They have a horrible track record of horrific bugs due to negligence, stupid
responses to vuln reports ("I couldn't reproduce your website launching
calc.exe on my mac") and more generally a lot of senseless security decisions
throughout the app last I used them (e.g. two factor defaulting to disabled
when logging in from the mobile app -- wut?).

~~~
brainfire
Pure shameless FUD.

------
irl_
I really hope things like this do not lead us to a mentality that anything
that isn't the Latin alphabet is malware or spam. There are people in the
world using non-Latin alphabets and allowing them to have domain names in
their native alphabets is a good thing, we just haven't worked out how to do
it securely yet.

Disabling the rendering of punycode is actually not helpful in cases where you
wanted to visit a domain using the Cyrillic alphabet which you want to be sure
of, and someone registered some similar looking domain which looks equally
like a bunch of gibberish to the one you're looking for.

Some suggestions, maybe good, maybe bad:

* It may be as simple as adding a character set into the address bar

* Flag a warning if the domain name alphabet doesn't match the page content (as would be the case in this example) or maybe something else

------
kardos
>This affects the current version of Chrome browser, which is version
57.0.2987 and the current version of Firefox, which is version 52.0.2.

Firefox 52.0.2 & linux here, and the "L" in the URL looks like a capital i
with serifs - quite noticeable. Perhaps different on windows/osx though.

~~~
devindotcom
it looks like that in monospace I think, in rendered sans serif the bars on
the I don't render and it's indistinguishable from a lowercase L.

------
gwu78
Text-only browser shows the IDN, not the phished domain.

</sarcasm>I guess I need to "upgrade to a modern browser" for websites to work
correctly?</sarcasm>

As an aside, I still do not understand how "modern" browsers evolved to hiding
portions of the URL or using a phony address bar i.e. "omnibox" to the right
of the real address bar.

In the first case, it seems to offer no benefit other than to hide important
details.

In the second case, it seems so overtly deceptive for newcomers to the www
that I am surprised they could pull it off.

Maybe these things have changed recently as these monster programs are
constantly changing. If so, pardon my ignorance.

Is it not true that users who do not understand the basics of www usage e.g.,
what is a domain, a URL, etc. are always going to be at risk of manipulation?

~~~
TeMPOraL
> _Is it not true that users who do not understand the basics of www usage
> e.g., what is a domain, a URL, etc. are always going to be at risk of
> manipulation?_

It is, and the general attitude seriously irks me. Technology is complex, but
if they're hiding the actual details behind half-assed, inconsistent, _lying_
abstractions, they're not helping anyone - the user will never develop a
consistent mental model of what's going on if every other piece of software
lies about some parts of it.

------
gommm
As much as I like Firefox, I don't really agree with their reason for not
considering this to be a bug:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1332714](https://bugzilla.mozilla.org/show_bug.cgi?id=1332714)

> Indeed. Our IDN threat model specifically excludes whole-script homographs,
> because they can't be detected

> programmatically and our "TLD whitelist" approach didn't scale in the face
> of a large number of new TLDs. If you are

> buying a domain in a registry which does not have proper anti-spoofing
> protections (like .com), it is sadly the

> responsibility of domain owners to check for whole-script homographs and
> register them.

> We can't go blacklisting standard Cyrillic letters.

------
robbyking
I wanted to share the fake Apple URL with my team, and Slack expanded it to
[https://www.xn--pple-43d.com](https://www.xn--pple-43d.com) when I hit send.

~~~
Dylan16807
Note that the URL people are excited about is the pure-cyrillic xn--
80ak6aa92e, not xn--pple-43d.

------
TheAceOfHearts
Even though Safari is behind the curve for many web tech features, I've been
pretty happy using it as my main browser for the last few months. On a MacBook
Pro, none of the browsers even come close to competing with Safari when it
comes to battery life. I still keep Chromium and Firefox installed, and
Chromium is my go-to option for web development. But I'm happy to find that
Safari has sane defaults when it comes to displaying URLs.

------
LeoPanthera
Safari is not fooled.
[http://i.imgur.com/2PyCWtz.png](http://i.imgur.com/2PyCWtz.png)

~~~
nimnio
Brave is not fooled either, which is interesting because it's based on
Chromium.

Brave 0.14.1 libchromiumcontent 57.0.2987.133

Fixed in Chrome 58, so I wonder what the significant difference is.

~~~
tdeck
Brave 1.0.19 on mobile is fooled, it displays apple.com.

------
amenghra
U2F as a second factor prevents this (and many other) kinds of phishing
attacks.

The token's crypto takes the page's domain into account.

------
diminoten
The bug report in Chromium.

[https://bugs.chromium.org/p/chromium/issues/detail?id=683314](https://bugs.chromium.org/p/chromium/issues/detail?id=683314)

~~~
SloopJon
The fix is described here:

[https://chromium.googlesource.com/chromium/src.git/+/08cb718...](https://chromium.googlesource.com/chromium/src.git/+/08cb718ba7c3961c1006176c9faba0a5841ec792)

It seems very limited in scope, essentially preventing the Unicode display of
a domain that only contains the following "Latin-alike" Cyrillic characters:
"асԁеһіјӏорԛѕԝхуъЬҽпгѵѡ".

------
SadWebDeveloper
Verified by: Let's Encrypt

Somehow i was expecting that comodo was the one culprit for the valid cert but
i forgot how easy is to ask for certs like this. Sometimes i think that lets
encrypt is hurting more than doing good.

~~~
goodplay
Given a choice between a safe web by default and nice looking urls, I'd choose
the former.

Furthermore, the real problem is that the green lock is displayed for https
sites rather than those with extended verification. Http should be red, https
should be plain, and ev https should be green with a padlock.

It's a failure in browser UI.

------
zulln
A password manager would be what (hopefully) saves me from this.

------
_nalply
I thought about normalising homographs then I tried out an implementation.

[https://github.com/nalply/homoglyph_normalize](https://github.com/nalply/homoglyph_normalize)

The idea is: get confusables.txt from Unicode and generate from that a
JavaScript object which does the mapping.

It's not guaranteed to work, I didn't even test it, but it's perhaps a
starting point for whatever you want to do with it.

------
jwilk
Previous discussion:

[https://news.ycombinator.com/item?id=14119713](https://news.ycombinator.com/item?id=14119713)

[https://news.ycombinator.com/item?id=14130241](https://news.ycombinator.com/item?id=14130241)

[https://news.ycombinator.com/item?id=14153900](https://news.ycombinator.com/item?id=14153900)

------
helthanatos
The good news is, it's hard to find characters that actually look like latin
characters. This uses the Cyrillic characters, but there are no characters
resembling g or d, so most websites are safe from this. Though, it is
incredibly infuriating that it doesn't show the punycode unless you try to
find it.

------
jiripospisil
As a temporary workaround, you can install a Chrome extension to block all
IDNs from being loaded. More details at
[https://github.com/jiripospisil/chrome-block-
idns](https://github.com/jiripospisil/chrome-block-idns)

------
mercer
Would a possible solution be to check if a url contains 'ambiguous' letters,
and if so, transform all these letters to the more common versions and then
check if that domain already exists? If it does, give the user a warning.

------
makkesk8
I was affected in chrome, then i went ahead and navigated to chrome://help/
and I was no longer affected. Gj google.

------
goodplay
Non-ev HTTPS should loose its green color. The green padlock should only be
displayed with ev certs.

------
Exuma
Damn...... so ive been vulnerable up until v58 released a few days ago? WTF?

~~~
XaspR8d
Well it's an extremely challenging edge case to address. As noted, mixed
alphabet domains have decomposed to their punycodes for a while, but the
single alphabet case is harder to separate malicious from legitimate.

This isn't a full solution yet anyway... a Russian user could still be phished
for example, because their locale would match.

------
dorfsmay
Can somebody confirm that the link is safe to open?

~~~
morinted
Yep, it's just a small message, link out, and screenshot.

> _This may or may not be the site you are looking for! This site is obviously
> not affiliated with Apple, but rather a demonstration of a flaw in the way
> unicode domains are handled in browsers._

------
tener
Made me update to Chrome v58 right away.

------
Dylan16807
This article is too narrowly focused on IDN. appie.com has fundamentally the
same problem, despite being pure ASCII.

~~~
homakov
Disagreed - i is distinct enough from l ( _if_ you look at the URL at all)

~~~
Dylan16807
Capital I looks exactly like an l in my address bar. It's slightly thicker but
you'd only notice that if there was an l next to it.

