Chrome 58 will patch protection against homographic attacks

The site https: //www.arrӏe.com/ has a real SSL certificate (of course, from Let's Encrypt ) and is marked in the browser as a “trusted site”. But in fact, this is not what you expected to see. This is just a demonstration of the concept - that some modern browsers display the names of sites in Unicode instead of Punycode and mislead users.

Punycode is a way of representing Unicode characters in host names using a limited ASCII subset. As stated in RFC3492 , Punycode is an implementation of the more general Bootstring algorithm, where strings composed of a small set of “base” characters (in this case, ASCII) can be unique strings composed of a larger set of characters (Unicode). For example, the domain 短 .co turns into xn--s7y.co.
')
In the aforementioned https: //www.arrӏe.com/ domain, the first letter of the host can be replaced with the Cyrillic character “a”, the symbol of the Cyrillic alphabet (U + 0430), and not ASCII (U + 0041). This is a good old homographic attack that browser developers and domain name registrars have been struggling with for a long time.

In an ideal world, domain registrars should not register domains that allow homographic attacks, and all browsers will normally display host names in Unicode.

Since the world is not perfect, browser developers have implemented their own methods of dealing with such attacks. In particular, in Chrome from version 51 and in Firefox from version 22, the version of the domain in Unicode will be hidden if characters from different alphabets are mixed in the host. For example, if www.arr ӏe.com replaces the first letter with a Cyrillic character, then browsers will display the address “xn--pple-43d.com”.

The problem is that this method does not work if the attacker has replaced not part of the letters, but all the letters of the domain with symbols of another alphabet. In the aforementioned domain of the Apple Company, all five characters are replaced with Cyrillic characters. In Punycode, this is obtained by “xn--80ak6aa92e.com”, and you can see above that the browser does not protect against such an attack.

The fake address is beautifully demonstrated in both Firefox and recent versions of Chrome. The capital Cyrillic "Ӏ" in this font looks exactly like the Latin "l".





Only if you look at the SSL certificate, you can detect a fake.



Internet Explorer and Safari browsers are not affected by this vulnerability. For example, on the IE tab, the site name is immediately displayed in Punycode.

Fortunately, Chrome developers have prepared a patch that closes this vulnerability. It was originally prepared for the version of Chrome 59, but then decided to include in the composition of Chrome 58, which will be released very soon - April 25. Apparently, after the introduction of this patch, the browser will demonstrate the version of Punycode in all “controversial” situations, when there is some likelihood of phishing, even if the characters belong to the same alphabet. This means that some addresses of Russian sites in Cyrillic, theoretically, will now always be shown in the “ugly” Punycode, and not in the “beautiful” Unicode. For example, http: //sakhar.com/ will turn into xn —80aa2cbv.com/ . Well, the owners of such sites are not lucky.

About the same patch for Firefox, the situation remains undefined: the corresponding tick in Bugzilla was initially marked as “closed” and “not to be executed” (WONTFIX), but now it has been re-opened. So there is hope that they will release a patch there too.

Firefox users can only get around the problem: to do this, you can change the network.IDN_show_punycode to true setting in about:config by setting it to true . Then Firefox will show all international IDN domains as Punycode. Not very elegant, but there is no other option.



Another way to avoid some problems is to use password managers. They will not allow you to enter a saved password on a site whose address in Punycode is different from the saved one. Thus, at least you will be able to notice that the saved password is not entered into the form on the phishing site - you can be suspected that something was wrong.

In general, you need to carefully treat the links that are published on web pages or in e-mail messages. There is no such protection, and the addresses of phishing sites may look exactly like the real ones.