Slashdot Mirror
Chrome 59 To Address Punycode Phishing Attack
Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.
Horrible summary... Punycode is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.
The original source explains it better: https://www.xudongz.com/blog/2...
The article mentions an upcoming patch twice, but is silent on what it does.
Note this problem was widely predicted at the time that non-ASCII characters were first allowed in domain names.
Not to say they should not be, just that people thought of it at the time of the change, so it is not anything new or unexpected.
In Firefox / about:config set: network.IDN_show_punycode;true
Appears the PoC dns name has been blacklisted? Maybe lawyers sent some nasty notice?
NX domain and the SSL cert was showing as valid but now does not.
Of course registering any of the other domains would work too.
Of course it's horrible. Engadget just recycles news from other more technical sites. There is also a factual error. The issue will be addressed in Chrome 58. It was already addressed in Chrome Canary 59.
Joke in subject, this is just filler.
The original post notes that "In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages."
It seems to me that a better solution would be to simply display the unicode version only if it contains only characters in the language that the browser is running in (such as the LANG setting on POSIX systems)... especially if the purpose of punycode is to allow domains that "render in their local language."
Admittedly, that fails to protect Cyrillic systems from the domain used as an example, but it does limit the scope of the problem.
countries with non-traditional alphabets
Say what now? Non-traditional? How about simply "languages with non-latin scripts"! And even that description isn't completely accurate as there are plenty of languages written using variants of latin scripts that could benefit from punycode (Spanish, French, German, Scandinavian languages, quite a few Slavic languages, Vietnamese, and I'm probably forgetting a lot).
I usually don't care about this sort of things but this time I'll bite: there are about 6.5+ billion people on this planet that use "non-traditional alphabets". It's about time whoever wrote the FA at Engadget learns a little bit about the rest of the world.
The parent comment should be modded up. It may not be "politically correct" from a leftist's perspective, but it is very relevant to this discussion.
For a lot of people, internationalization and localization really is more of a risk than a benefit.
I'm fluent in three languages, so I can appreciate the need for internationalization and localization for those who need it. Nobody is saying internationalization and localization shouldn't be supported. What we're saying is that it should be trivial to disable them when they aren't needed.
For example, I don't know Chinese, and I don't expect to ever learn it. The same goes for Arabic, Korean, Japanese, and the various languages of India that don't use Latin or Latin-like alphabets. I would love to be able to disable these languages in my browser, or at least be given a warning before they're used. Since I don't understand them, there's no legitimate reason for me to ever see content in them, at least not without a warning.
I'd like to take it a step beyond that. I'd like it if my browser could automatically block all content hosted at TLDs or IP addresses associated with third-world ("developing", for the politically correct crowd) nations. After decades of Internet use, I have never had any reason to view content hosted in China, or India, or any African nation. And if I ever did have a legitimate reason to access content from such areas, I would prefer to opt in to viewing it.
Disabling text and content from these third-world places wouldn't just make my browsing experience more enjoyable, it would also make it safer. I'd lose out on very little by disabling internationalization and localization, and I'd actually gain a whole lot.
My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?
Some drink at the fountain of knowledge. Others just gargle.
tries to accommodate every culture until its own gets lost in the noise
Which culture is it that's getting "lost in the noise"? The one we brought from Europe? The Native one we stepped on in the process? The African one we kidnapped to pick our cotton? The Chinese one that came to build our railroads? Or one of the hundreds of other cultures that have been coming in to our country since its inception?
We are a nation of immigrants. Unless you are full blood Native you don't have to go back more than a handful of generations to find a foreign parent.
The US somehow feels like it must apologize for even the most feeble effort at border patrols
This one I agree with you on. All of the "I'm moving to Canada" people would be in for a hell of a shock when they got the border and were promptly (but probably politely) told to piss off.
Rome lasted for 1500 years or more
xudongz.com
You expect me to click on that?
Are you trying to use Rome as a counterexample? If so, it's one of the worst you could have chosen. Rome wasn't multicultural. It was the opposite: conquered cultures were usually Romanized within a single generation. That's why Romance languages are still spoken across much of southern Europe even today, from Portugal to Romania. Rome was one unified culture, as much as was possible for such a large state. Roman culture didn't accommodate foreign cultures; foreign cultures changed to become Roman.
An easy phishing exploit, left untouched for ten years.
Does Google not bother hiring black hats to check for this kind of stuff? It's obvious their white-hats have no BOFH credentials.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
so, people expecting a non-latin-script domain name will then see punycode. I rather doubt that many people can translate punycode in their head, and many will not detect minor variations in the punycode from what they expect. Punycode was never intended to be shown to humans. Fixing it to always display punycode will give us a new (different) set of problems.
What? If an American shows up at the Canadian border with a passport and clean record, they're getting in without hassle.
Unless the border agent asks, "are you moving here?" Same if I wanted to drive over to the US right now.
tries to accommodate every culture until its own gets lost in the noise
Which culture is it that's getting "lost in the noise"? The one we brought from Europe? The Native one we stepped on in the process? The African one we kidnapped to pick our cotton? The Chinese one that came to build our railroads?
Or one of the hundreds of other cultures that have been coming in to our country since its inception?
We are a nation of immigrants. Unless you are full blood Native you don't have to go back more than a handful of generations to find a foreign parent.
The US somehow feels like it must apologize for even the most feeble effort at border patrols
This one I agree with you on. All of the "I'm moving to Canada" people would be in for a hell of a shock when they got the border and were promptly (but probably politely) told to piss off.
The "Native" Americans migrated here as well, in several waves. They juts did it 10-20 thousand years before it was cool.
This is a crap solution, between computers and phones there are 9 devices in my home, I'm not going to babysit a hosts file on them all. I don't think my wife's iPhone lets you touch the host file at all. Way easier to run a Pihole and set it as the DNS server on everything.
It will get a fix in Chrome 59, not 59. There's already a fix in Chrome Canary 59. But the stable branch will get it by the end of the month.
APK Hosts File Engine 9.0++ SR-7 32/64-bit
Or as it's now known, "ETERNALBLUE"
The parent comment should be modded up. It may not be "politically correct" from a leftist's perspective, but it is very relevant to this discussion.
Damn, it's completely obvious what a racist tirade against multicuturalism has to do with a zero day involving a Unicode exploit. The next time a cow shits, is that going to be taken as an example of the failings of multiculturalism?
I'm fluent in three languages, so I can appreciate the need for internationalization and localization for those who need it. Nobody is saying internationalization and localization shouldn't be supported. What we're saying is that it should be trivial to disable them when they aren't needed.
No, your parent CLEARLY states, and I quote, "Let's not do the same thing with browsers please.", in an implied response to supporting multiple languages. So not only is your position ridiculous for someone who supposedly knows three languages, a violation of your parent's claims, you didn't even bother to read his fucking message.
For example, I don't know Chinese, and I don't expect to ever learn it. The same goes for Arabic, Korean, Japanese, and the various languages of India that don't use Latin or Latin-like alphabets. I would love to be able to disable these languages in my browser, or at least be given a warning before they're used. Since I don't understand them, there's no legitimate reason for me to ever see content in them, at least not without a warning.
For what benefit? Why should the browser designers add in a layer to check for foreign localization, and store a setting, when the only possible impact is you seeing characters you don't understand? The end result is the same anyway - you'll get an effectively useless webpage. Do you not want to see Chinese characters because they'll steal your job and take your kids or what??? You're proposing a solution that just adds work for everyone else all so you don't have to see scary foreign characters, and it wouldn't even work at all for languages like French or German that use the same character set.
I'd like to take it a step beyond that. I'd like it if my browser could automatically block all content hosted at TLDs or IP addresses associated with third-world ("developing", for the politically correct crowd) nations. After decades of Internet use, I have never had any reason to view content hosted in China, or India, or any African nation. And if I ever did have a legitimate reason to access content from such areas, I would prefer to opt in to viewing it.
Alright. We are going to maintain an international IP address, which apparently we are supposed to update on our own time, to isolate you from the non-specified dangers of China, which means you will no longer be able to use any Amazon or Google instance located their. Oh, and I expect you think this should all be done by somebody else too. You are one of the most childishly self-centered assholes on this page, and a racist one at that (and yes, not wanting to see an African webpage because they're black is racist, and you are on the same level as a white southerner in the 1800's, citing the very same intelligent points - which is to say, none at all).
Disabling text and content from these third-world places wouldn't just make my browsing experience more enjoyable, it would also make it safer. I'd lose out on very little by disabling internationalization and localization, and I'd actually gain a whole lot.
You would gain absolutely nothing. We as a community, however, would gain tremendously, because now we can simply post a Chinese character and we will never again have to worry about you wandering in here.
"Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
IMHO it's the problem with .com domain policy – no top level domain should allow the use of different scripts/alphabets. Countries using cyrillic don't allow using cyrillic IDN domains under .ru and .bg for example, there are . and . for that. In the same way .com should allow ASCII only. Yes, there is theoretically homographs problem with top level domains as well, but it is realistically controllable.
Is there a reason you don't have your own website for this, or at least put it on GitHub, instead of incessantly spamming links through Google? Everything about you and your program screams "SHADY" at high volume.
zero day involving a Unicode exploit.
Zero day? Hardly! The concept of a homograph attack against internationalized domain names was identified way back in 2001, but should have been incredibly obvious to anyone working on IDN development from the very beginning in the 1990s. The trouble was that there was an immense push to implement *something* to make it so that people could type in web addresses in their own languages, and considerations on how homographs could screw things up for unsuspecting users--including the non-Latin-character users the plans wanted to assist--was just not on their radar.
The people doing the intense early work on IDN were mostly not in North America: the biggest centers were Singapore and Switzerland. They were entirely too blind to the mischief that homographs could pose. They absolutely should have worked on mitigation strategies against the inevitable fraud and deception that IDN homographs would pose before putting it out for all the world to use.
The implementation vehicle for IDN, Punycode, is not the culprit that TFA seems to paint it to be. Punycode is nothing but an encoding that allows the representation of Unicode codepoints in a representation that is still straight-up ASCII to retain compatibility with the Domain Name System. What was the problem, though, was pushing it all out as an internet standard before a solid mitigation strategy could be put into place. There should have been a well-known and pretty well universal way to signal to unsuspecting users that a domain name might contain characters from multiple Unicode blocks with the potential for deceiving users.
All of this should come off as a lesson to people who want to implement things in entirely too much haste. Alas, ICANN is a loose cannon.
Avtually Romans incorporated culture from occupied territories. It's for example why they had so many different gods and religions.
My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?
Probably about 3 months. Beta is the next version, Dev is weekly build, Canary is nightly build. Stable releases are every 6 weeks.
https://www.chromium.org/getti...
Seek xn--p1ai in https://hosts-file.net/psh.txt & see Malwarebytes stop punycode phish w/ APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/
Ads/script/malware rob speed/security/privacy
Hosts add speed (by hardcodes/adblocks), security (vs. bad sites/malware/poisoned dns), reliability (vs. dns down), & anonymity (vs. dns requestlogs/trackers).
Less power/cpu/ram + IO vs. DNS/routers/addons/antivirus + less security bugs/complexity & faster vs. addons/routers/remote dns!
Avoids DNSChangers in routers/IP settings & dns redirects (99.999% ISP DNS != patched vs. it) + lightens DNS load & resolve faster from local system RAM!
* Via what u NATIVELY have in the IP stack in FASTER kernelmode!
APK
P.S. - Safe https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/
Move dumbphones off faulty routers (loaded w/ bugs shown below partially only by 100's) they're unprotected: Hosts stop it on endpoints in good layered security/defense in depth security pros agree w/ me on https://tech.slashdot.org/comm... & router perimeter only single point of exploit fail are loaded w/ security bugs galore https://it.slashdot.org/commen... & NOT good layered security/defense in depth alone.
DNS = another SINGLE point of fail loaded w/ security & inefficiency issues too (partial again only, there are FAR more) https://news.slashdot.org/comm...
* NOTICE YOU HAD TO "DOWNMOD HIDE" THIS LAST TIME I POSTED IT UNIDENTIFIABLE BULLSHITTER TROLL lol https://tech.slashdot.org/comm... hahaha!
APK
P.S.=> Securing 'smartphones' (dumbphones full of exploits) = ez 4 rooted droids/iphones via ADB pull command & SSH respectively... apk
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
I've never tried to belittle (APK's) work, I've flat out said it's good by BronsCon
take a look at the APK hosts file engine by SuperKendall
APK is kinda right. I've tried his hosts file generating software. It works by bmo
I like your host file system by Karmashock
I find your hosts file admirable by vel-ex-tech
* My code's liked + recommended & hosted by Malwarebytes' hpHosts!
APK
P.S.=> See subject: It's no SMB1/2/3 (nothing to do w/ those) NSA malware either ala https://isc.sans.edu/forums/di...
See subject: Google made a huge mistake in "OpenSORES" via Chrome EFast (a doppleganger malware from Chrome code) & THAT is largely why I don't opensource my ware (I won't have that on MY conscience but JOOGLE does).
* Why should I have my own site when Malwarebytes' hpHosts (highly esteemed) HOSTS + RECOMMENDS my ware (& Mr. Burn is a highly competent webmaster)? No need for it!
APK
P.S.=> Plus, I am a FIRM believer that coders should do their OWN code/work, otherwise, they're plagiarists & aren't 'sharpening their own sword' copying others work (stealing it imo)... apk
Joogle hides truth above here & @ InfoWars cutting off ad gold https://www.youtube.com/watch?... but JOOGLE allows violent jihadist videos to get ad GOLD + JOOgle infects users w/ their ads https://blog.malwarebytes.org/...
Joogle hides truth above here & @ InfoWars cutting off ad gold https://www.youtube.com/watch?... but JOOGLE allows violent jihadist videos to get ad GOLD + JOOgle infects users w/ their ads https://blog.malwarebytes.org/... + their execs like heroin https://www.google.com/?gws_rd...
Joogle hides truth above here & @ InfoWars cutting off ad gold https://www.youtube.com/watch?... but JOOGLE allows violent jihadist videos to get ad GOLD + JOOgle infects users w/ their ads https://blog.malwarebytes.org/... + their execs like heroin https://www.google.com/?gws_rd...
Your points would be valid if you even pretend to acknowledge why he desires those behaviors....
There is no way to prove what we observe and it's starting to really piss people off.
What if perhaps some of this has some truth to it? What if it's obvious to us that only websites from China/Russia/Iran/Africa are attacking us more than helping us? I don't find myself reading any of their content, finding zero benefit from it, yet I have to PRETEND that it's beneficial to not blacklist those into oblivion?
Sites I've read in Chinese: 0
Chinese sites that have served malware to me: hundreds of thousands.
I totally get the idea that stereotyping is wrong but that's at the first stages of getting to know someone. But if after awhile the REAL perception ends up looking like a stereotype it's now impossible to hold that belief.
We need a way to resolve the ambiguity of the decision... "No sir I am not stereotyping you, I have now known you for many years and have observed enough of your bullshit that it's no longer a stereotype, but reality".
How do I say that? How do I say that I've given you many chances and been kind to you for many years only to finally realize you ARE all the stereotypes I heard about? In the most respectful and politically correct way.
In March, Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE - http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/ showing how dumb UNIDENTIFIABLE LIAR "ne'er-do-wells" like you truly are...
APK
P.S.=> Unbelievable incompetence as always on your part - you can't even get your LIBEL right... apk
Outlook Mail Client and Gmail is vulnerable as well. Our PoC and article: https://ciberseguridad.lamula.pe/2017/04/22/ataque-de-phishing-imperceptible-con-unicode-tambien-afecta-clientes-de-correo-electronico/delphins/