Can your browser tell the difference between apple.com and apple.com?

Posted by MichaelStrelitz 6 months ago

Categories: General

 IMPORTANT CHECK: How does your browser interpret Punycode?

Computer programmers who designed the Internet originally only had the Latin alphabet to deal with. When languages with different characters and alphabets needed to be incorporated they developed a variation of the more general Unicode called Punycode.

Because of the way in which some popular browsers, including Firefox and Chrome interpret Punycode, they have a vulnerability that makes phishing attacks easier. They allow legitimate and popular email addresses to be hidden in Punycode. This allows attackers to create a false website with an address that looks correct.

The problem arises because similar characters are hard to distinguish from each other. While a Cyrillic small letter “a” (Unicode character U+0430) is different from a Latin small letter “a” (U+0061), in a vulnerable browser they look the same when the Punycode is interpreted.

What to do:

There is an easy check as to how your browser interprets Punycode. A test page has been setup.  Copy and paste the following into your browser:

https://www.xn--80ak6aa92e.com

If you see the URL https://apple.com in your browser  you are vulnerable to attack.

Visually, the two domains are indistinguishable due to the font used. As a result, it is impossible to identify the fraudulent apple.com site from the true one without carefully inspecting the site’s URL or SSL certificate. This is known as a homograph spoofing attack.

The act of taking advantage of this vulnerability is known as an internationalised domain name (IDN) homograph attack – or more simply as a homograph spoofing attack.

Until this bug has been fixed (and it could take many months) Firefox users can display the underlying Punycode and thus limit their exposure (Chrome uses will have to wait some weeks for a fix).

Type  about:config in the address bar of your browser. You will get a warning “Here be dragons”. If you press “I accept the risk” you will be presented with a long list of settings. Scroll down to network.IDN_show_punycode. Double-Click on it and it should change from false to true. Close, and run the test above again.

If you are unhappy or do not feel confident to carry out the above procedure, phone us at DataSafe and we will do it for you (no charge).

Go Back