Slashdot Mirror
Chrome 59 To Address Punycode Phishing Attack
Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.
Horrible summary... Punycode is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.
The original source explains it better: https://www.xudongz.com/blog/2...
In Firefox / about:config set: network.IDN_show_punycode;true
Of course it's horrible. Engadget just recycles news from other more technical sites. There is also a factual error. The issue will be addressed in Chrome 58. It was already addressed in Chrome Canary 59.
The original post notes that "In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages."
It seems to me that a better solution would be to simply display the unicode version only if it contains only characters in the language that the browser is running in (such as the LANG setting on POSIX systems)... especially if the purpose of punycode is to allow domains that "render in their local language."
Admittedly, that fails to protect Cyrillic systems from the domain used as an example, but it does limit the scope of the problem.
countries with non-traditional alphabets
Say what now? Non-traditional? How about simply "languages with non-latin scripts"! And even that description isn't completely accurate as there are plenty of languages written using variants of latin scripts that could benefit from punycode (Spanish, French, German, Scandinavian languages, quite a few Slavic languages, Vietnamese, and I'm probably forgetting a lot).
I usually don't care about this sort of things but this time I'll bite: there are about 6.5+ billion people on this planet that use "non-traditional alphabets". It's about time whoever wrote the FA at Engadget learns a little bit about the rest of the world.
My mac tells me it's running version 57.___ and it is up to date. So how long do I have to wait for 59?
Some drink at the fountain of knowledge. Others just gargle.
The article mentions an upcoming patch twice, but is silent on what it does.
Apparently, though not listed explicitly, they will display the unicode version (Ex: www.xn--80ak6aa92e.com instead of www..com) for these edge cases - though I'm not sure how they're detecting them.
IMO, it's all stupid mistakes and fixes because it's only an issue because they're trying to make it so "easy to use" and transparent for the dumbest of folks, while making it more and more complex to actually find the real info. For example, you used to be able to click the padlock icon next to the URL if it was an SSL domain, and that'd pop up security and cert info on Chrome. Now, you can't do that... you have to go into developer tools, then expand the tabs (security tab is often outside the window, because they moved the developer console to split the screen vertically instead of horizontally) to find security tab, then get the cert info there.
All domains should have a very very easy way to see both versions (the unicode/punycode version, and the localized version). Some options: ... or vice-versa: Eg. [lock icon] Secure | [www..com] https://www.xn--80ak6aa92e.com...
* right click on the domain, include both in that menu
* mouse over the domain, show alt version in the status bar (bring back the status bar!)
* mouse over the domain, include alt version in mousever text
* include both on the location bar (one in parenthesis). Eg. [lock icon] Secure | [www.xn--80ak6aa92e.com] https://www./.com/
*
* add a little colored (red?) icon next to the name if punycode is in use. Mouseover on it would display info saying what that did. Clicking it would remove/add the decoding. IE: display the decoded localized characters by default; click the red dot to display the punycode; click again to go back to localized; set a preference from the right click menu on the red dot.
This isn't something that can be definitively solved programmaticly. It's still a case of tricking users. Just give the users the info they need so they can make a fair decision. The real DNS name is the fully encoded one (ex. xn--80ak6aa92e.com), not the one decoded from that, so please make that readily available to the user. IMO, displaying the localized text should be an added feature, not the primary display.