Using Unicode for Homograph Attacks



  • https://www.xudongz.com/blog/2017/idn-phishing/

    This is a really interesting one and should be paid attention to. Using Unicode encoding, it is possible to make links that look just like other links but use homographs, letters that look the same between different alphabets, in order to disguise that two domains don't really have the same name. This is a shortcoming in the DNS system, or at least in domain registrations, because what is displayed to humans is indistinguishable but represents different letters. It makes it nearly trivial to make it impossible to prove that a website is really the right website as there is no mechanism, short of human vision, to validate it.



  • @mlnews said in Using Unicode for Homograph Attacks:

    It makes it nearly trivial to make it impossible to prove that a website is really the right website as there is no mechanism, short of human vision, to validate it.

    I disagree with that.

    A simple switch on the web browser config can force strict ASCII decoding and evidence the homography issue.

    The feature it's already in place and should be the default from now on.



  • new Chrome has patch for this already.



Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.