4

Is it not possible for Chrome and Firefox to protect against this > https://www.аррӏе.com/

Navigating to that above (fake) apple website using Firefox 59.0.2 doesn't actually take me to the apple website, but it still says apple[dot]com in my web browser...

References:

https://www.xudongz.com/blog/2017/idn-phishing/

https://thehackernews.com/2017/04/unicode-Punycode-phishing-attack.html

https://en.wikipedia.org/wiki/IDN_homograph_attack

user175686
  • 41
  • 1
  • 1
    It's simply a trade-off between security and usability. We have already discussed how browsers try to prevent these attacks and possible defense measures here: https://security.stackexchange.com/questions/182680/how-to-defend-against-homograph-attacks/ – Arminius Apr 14 '18 at 00:22
  • If I recall, Chrome/Chromium has some resistance, and Firefox is still vulnerable. – forest Apr 14 '18 at 00:31
  • 2
    In Chrome, that URL appears as `https://www.xn--80ak6aa92e.com/` both when I mouse over it and in the URL bar when I go to it. – Neil Smithline Apr 14 '18 at 00:45
  • In Firefox, it only does that if you set `network.IDN_show_punycode` to `true`. – forest Apr 14 '18 at 01:03
  • Firefox shows punycode in the bottom left on mouseover, but shows utf8 in the url bar. The "l" is clearly not an l due to the font Firefox is using though. – AndrolGenhald Apr 14 '18 at 01:28
  • 1
    @AndrolGenhald If I recall, a web page can spoof the bottom left mouseover bar, as Google for example does. It cannot be relied upon. See for example [this answer](https://security.stackexchange.com/a/152896/165253). – forest Apr 14 '18 at 02:31
  • @forest I'd forgotten about that, thanks for pointing that out – AndrolGenhald Apr 14 '18 at 02:56

1 Answers1

1

No, Humans are vulnerable to the homograph attack, browsers are unaffected.

Chrome has a partial work-around that offers a false sense of security to those who buy the hype.

In the general case of the attack both domain names are IDN and the user can't be expected to differentiate between two different random-looking strings of ASCII characters.

Jasen
  • 834
  • 5
  • 8