What's Punycode?
Internet host names should have ASCII characters only so RFC introduced Punycode to encode Unicode characters using ASCII codes to workaround that limitation and to use Unicode characters on domain names. Even without recognition of this feature for many people, most modern web browsers already support this so that the decoded Unicode characters appear on the address bars! It's easy to imagine what can happen if this feature is used for bad purposes - phishing.
Test
Click this link. https://www.xn--e1awd7f.com/ (Don't worry, it's a good site that helps you to test your browser) If it directs you to a site that looks like 'https://www.epic.com', your browser is invulnerable for the attack. As you already guessed, the characters appear on the address bar are not ASCII, but non-English Unicode characters that look similar to ASCII ones. The following screenshot is from my Chrome that was not ready for detecting the situation (invulnerable).
Fix/Workaround
Firefox has a setting to disable decoding of Punycode characters.
- Type about:config in address bar and press enter.
- Type Punycode in the search bar.
- Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.
Google Chrome has no setting yet (as of 18 Apr 2017 ), but luckly there is an extension to help you - Punycode Alert (https://chrome.google.com/webstore/detail/punycode-alert/djghjigfghekidjibckjmhbhhjeomlda ). With this extension, it alerts you when you visit a Punycoded site like that. It's not perfect as it doesn't block you to visit phishers but it's million times safer than using nothing, until Google releases a new Chrome version that deals with this. This is what appears when you visit there with the extension turned on.
References
| Evernote helps you remember everything and get organized effortlessly. Download Evernote. |
No comments:
Post a Comment