Google Chrome To Get Warnings For 'Lookalike URLs'

Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

If only there was a way to prevent this

Oh, but that would mean ICANN would make less money.

But the

[AHuxley]

approved ads will always be accepted.

A much better solution was removed from Chrome

[ffkom]

This much better solution was Public Key Pinning. Works great, but is of course not loved by the advertisement industry who wants you to watch content from constantly changing crappy domains.

Re:A much better solution was removed from Chrome

[Kvan]

How does PKP help against a typosquatter? These attacks are not on the same domain, but using one that looks the same due to UTF homographs or superficial similarity such as keming issues.

Re:A much better solution was removed from Chrome

[ffkom]

Of course it cannot help against a person typing in a domain name manually for the very first time and misspelling the name at that time. But seriously, that is a rare scenario. The much more common fraudster approach is to lure people into following links to intentionally misspelled domain names, and there PKP helps a lot, because the browser can signal you whether you are on a page that you previously pinned the key for, and you will be warned if a page asks you for credentials that you did never visit before.

Plus PKP can defend you against other types of scams, where the real domain name is used, but a fake DNS server or even a man-in-the-middle proxy that tries to break you end-to-end encryption.

Re:A much better solution was removed from Chrome

How does PKP help against a typosquatter?

1. Check the user's history to see if there was a connection to a similarly named site in the past.

2. If sites are found, check each one for a TLS session.

3. If TLS sessions were used, check the current site to see if it uses TLS.
3a. If TLS isn't used on the current site, display warning.
3b. Otherwise check if the current site's TLS cert matches one from a previous session.
3c. If no match, display warning.

4. Validate TLS session. (CRL / OCSP check.)
4a. If valid, display padlock.
4b. Otherwise display warning.

This method also prevents MITM attacks as long as the user has visited the site previously, and the cert in question is still valid. Of course someone will probably fuck this up just like everything else....

What's being implemented is just going to annoy users and make them dismissive of it. Just like that "Connection may be monitored by a third party" permanent warning on Android that you get for the crime of installing your own CA cert. (Or your boss' cert.)

Re:A much better solution was removed from Chrome

HPKP was removed because it's hard to use correctly, impossible to recover if certain bad things happen, and therefore almost never deployed. It was not some grand conspiracy to do with advertisers. Using many changing domain names doesnâ(TM)t matter to HPKP, which was designed to prevent attacks on TLS certificates.

Homograph attacks are different domains using visually identical Unicode characters to another legitimate domain to confuse users into thinking they are on the correct site. HPKP prevents attacks on TLS for the same domain. They are two completely different things.

Re:A much better solution was removed from Chrome

How can they detect typosquatting? Is this just a manually kept blacklist?

Autodetection is nearly hopeless, because:
* If two names are nearly equal, which one is real?
* The web is multilingual; words in different languages can be similar and mean something completely different.
* Many sites uses made-up product names, with even more chance of matching some language somewhere.

Get this wrong even once, and I'm out. I use languages other than english every day, can't be hampered by misunderstanding, especially those who invariably will be for the benefit of some english-language site.

Of course...

...in order to check if you're visiting a lookalike URL, they'll need to know what you're actually visiting.

Oh noes, privacy?

Well, they already check what sites you are visiting, so don't worry, your privacy is already gone anyway.

Firefox more privacy? You're naive.
Source: https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work?as=u&utm_source=inproduct#w_how-does-phishing-and-malware-protection-work-in-firefox
"Phishing and Malware Protection works by checking the sites that you visit against lists of [...]"

Ubuntu better? Hah, yeah.
Took them almost 4 years (October 2012-April 2016) to turn off the shopping lens that tracks user's queries.
Mint better? Sure, buddy.
Default search engine is a custom Yahoo search that tracks queries.

Oh, Firefox saving screenshots to their server.
Remember that recent article?

You know the list goes on and on.
For fun, look into "service workers".

Start Dropping CA's that approve these URLs

[FeelGood314]

This isn't so much a problem for English speakers. We see the URLs as the ASCII characters but eventually ICANN decided to approve punycode https://en.wikipedia.org/wiki/... so we could have URLs in other character sets. The problem is that there are hundreds of character sets and many of these have characters that are visually difficult to distinguish. So now I can have two URLs that might actually be displayed identically in my browser that are actually different. I'm not 100% sure how this could have been avoided. It sucks for the non-english world. It could however have been mitigated if CAs check for URLs that are visually similar to existing URLs and not sign the certs for the new requests. With Certificate Transparency their is no excuse to not have a list of all valid signed URLs.

Re:Start Dropping CA's that approve these URLs

The solution to the punycode issue is with the browser makers.

Make each browser session stick to a single character set. If you want to view two character sets in parallel, you shouldn't be able to do it in a different tab of the same session, but open a separate window to do it.

Re:Start Dropping CA's that approve these URLs

Easy. 180 country codes. Each country code allows only the symbols from that country's native language or languages.

Re: Start Dropping CA's that approve these URLs

It seems like the ca's job is certifying the connection is secure. That the party I am connecting to is not seems like something they can't know.

Re: Start Dropping CA's that approve these URLs

Wrong. The job of the CA is to certify that the entity in the certificate subject is who they say they are.
You have been brainwashed by Let's Decrypt. Encryption means nothing if you don't know who you are talking to on the other end.

Re: Start Dropping CA's that approve these URLs

Wrong. You don't need certificates for encryption. The job of the certificate is to prove by the authority of the issues, that the data in the subject field is truthful and trustworthy.
You can do encryption with DH key exchange all without certificates involved.

Some offers are required

At the unicode altar.

Wonder who'll do the analysis

[guruevi]

Soundex analysis is easy to do on modern CPU's but it's convenient for them to use it as an excuse to send all URL's to Google for 'analysis'.

On the other hand, I wonder in which direction it will steer if it finds two valid sites with competing viewpoints but with similar sounding names.

Re: Wonder who'll do the analysis

[houghi]

Well, google will look at what side produces more revenue, so that will be the correct website.

If it does not ptoduce any revenue, it therefore must be a fake site.

Didn't Microsoft do that?

[140Mandak262Jamuna]

When you type in download chrome on the IE it prompts, "Did you mean Edge Browser download? Please please pretty please with a bow on try the Edge. If you search using Bing we will give you money too. And please give Cortana a chance. A chance that is all we beg for. "

Non-ASCII characters in hostname = Scam

Likewise leading xn--. It's as simple as that.

Awwww...!

[dohzer]

Does this mean the end of www.penisland.net ?

Re:Awwww...!

No, just penisiand.net

levenshtein distance

Isn't this just a simple matter of using the levenshtein distance algorithm (same one used in spell checkers)

Re:levenshtein distance

Who defines the baseline against which you measure?

For all Geeks: StarTrek TOS Episode 26 quote

See subject (great episode too) &: "In response to nuclear warhead placed in suborbit by other major power, United States today launching sub-orbital platform w/ MULTI-WARHEAD capacity - purpose: To maintain BALANCE OF POWER..." (in MY favor, lol & my warhead is my program for hosts that does MORE for FAR LESS vs. ANY single browser addon (easily detected & blocked by webmasters no less)) - StarTrek TOS "ASSIGNMENT EARTH"

* That MULTI-WARHEAD capable system? Hey, you know:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)

APK

P.S.=> Ah, yes - it is GOOD to be KING (The "Lord of Hosts" so-to-speak)... apk

WTF?

Just as a hypothetical example: No, I don't want to go to "thesaxshop.com", I really am looking for porn and want to go to "thesexshop.com". That's going to be very irritating in a very short time. I really hope such absurdities can be disabled. It's bad enough putting up with that poxy "security" warning when I browse to an intranet site using http.

Warning?

[Mr_Silver]

It's not much of a "warning".

They are basically reusing the UI where you type in, say "myserver", Chrome takes you to a Google search for "myserver" but then puts a little bar underneath which says "Did you really mean http://myserver?"

Re:tool, bitch human router

tool, bitch human router

wet, wash, rinse, repeat

Why is this not Modded UP?

Orrrr... use a better font.

Or, as the title says, use a better font and not some shit font designed by a retard.
Any fonts with (exact!) similar looking letters are all retarded. Every single one of them. Doesn't matter if it was pre- or post-computing, all of them suck.
Doesn't matter of it is Latin fonts or Asian fonts. It holds universally.
They need to be wiped from society for the pieces of shit they are. They cause nothing but issues. Everywhere.
That goes for Os, os and 0s especially, some of the worst for similarity in fonts. In fact, you could even throw the degree symbol in there for some fonts! Disastrous!

Unicode abuses are a huge issue because the Unicode consortium are even more retarded. They've taken this to extremes.
Majority of the unique instances of glyphs are the exact same fucking thing with a different name. Exact same behaviours, same looks, different name because LOL reasons.
Fuck off. Worst thing to happen to fonts.
Here's a better solution, ban mixed fonts entirely unless there is an explicit container for them to separate them semantically. This can then be styled visually in programs, websites or whatever else.
Automatically prevents abuse when you see a HUGE visual indicator of different glyph sets being used.
CSS shouldn't be able to interfere with it by default unless a user (stupidly) disables it.
Any mixed font should be automatically very visible, especially if attempts are made to hide it in URLs and Anchor texts.
The CSS a:visited issues should have been solved the same way, but they took away that control!.

Will it stop abuse? Will ANY of this stop abuse?
No. Retards are retards. They'll click anything. They should not be allowed on computers in the first place. There should have been a licence to use the damn things.
I had my own mother complaining she "couldn't google anything" while clicking a bunch of links on her craptop.
She was stuck in some fucking ad-farm with related links. All because she had installed some extension from Google Play. How the hell she even installed it is beyond me, but retards find a way.

JOOgle Chrome to bushwhack adblockers

See subject & https://www.bleepingcomputer.c... & addons = easily detected & blocked by webmasters + run in SLOW usermode (vs. hosts in FASTER kernelmode as part of the IP stack itself) & NO SINGLE addon does as much as hosts & hosts do so for FAR LESS too!

* NOT HOSTS FILES THOUGH https://developers.slashdot.or...

P.S.=> To CHATTERING do-NOTHING "ne'er-do-well" TWATS who will STALK me here by UNIDENTIFIABLE anon posts (& downmod bomb this post to HIDE facts in it):

GET ON TOPIC & quit STALKING me by UNIDENTIFIABLE anonymous troll posts, loons!

Make a Wheel (as I have multiplatform) instead https://isc.sans.edu/forums/di... vs. wasting your time (after all, YOU can't STOP me doing the RIGHT thing - &, I clearly am per 100++k users of my work in this program alone)... apk

For all Geeks: StarTrek TOS Episode 26 quote

See subject (great episode too) &: "In response to nuclear warhead placed in suborbit by other major power, United States today launching sub-orbital platform w/ MULTI-WARHEAD capacity - purpose: To maintain BALANCE OF POWER..." (in MY favor, lol & my warhead is my program for hosts that does MORE for FAR LESS vs. ANY single browser addon (easily detected & blocked by webmasters no less)) - "ASSIGNMENT EARTH"

* That MULTI-WARHEAD capable system? Hey, you know:

APK Hosts File Engine 2.0++ 64-bit for Linux h t t p : / / a p k . i t - m a t e . c o . u k / A P K H o s t s F i l e E n g i n e F o r L i n u x . z i p (remove spaces between chars & download)

APK Hosts File Engine 10++ SR-1 32/64-bit for Windows https://hosts-file.net/?s=Down... (DL link @ bottom)

Soon for MacOS too (I just got a NEW Mac-Mini to port it there too)

APK

P.S.=> Yes - it is GOOD to be KING (The "Lord of Hosts" so-to-speak)... apk

Iâ(TM)m am GAYpk and ready to HOST

My HOSTing

big dicks in my butt
small dicks in my butt
all dicks in my butt

Iâ(TM)m GAYpk and ready to HOST

Iâ(TM)mGAYpk
Ready to host dicks all day
So cum in my ass
Youâ(TM)ll have a gas
Iâ(TM)mGAYpk

Get rid of DNS

[Hentes]

The only solid way to prevent abuses like this would be to get rid of DNS entirely. With IPv6 there are enough addresses that there is no reason to ever change the IP of a server, which means links could just use direct IP addresses. Browsers should have quick and easy ways to bookmark an IP with a default name offered by the site itself, and should resolve those bookmarks like it was a domain name when the user types them into the address bar. Users couldn't just type in an address they saw on a billboard but everybody uses QR codes for that already so it wouldn't be a problem.

Re:Get rid of DNS

[nitehawk214]

That is quite possibly the stupidest idea I have ever heard. How would a site relocate? How would you tell someone "hey visit site x"?

Got it!

chrome://flags/#tenable-lookalike-url-navigation-suggestions.