Google Chrome To Get Warnings For 'Lookalike URLs'

Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

If only there was a way to prevent this

Oh, but that would mean ICANN would make less money.

But the

[AHuxley]

approved ads will always be accepted.

A much better solution was removed from Chrome

[ffkom]

This much better solution was Public Key Pinning. Works great, but is of course not loved by the advertisement industry who wants you to watch content from constantly changing crappy domains.

Re:A much better solution was removed from Chrome

[Kvan]

How does PKP help against a typosquatter? These attacks are not on the same domain, but using one that looks the same due to UTF homographs or superficial similarity such as keming issues.

Re:A much better solution was removed from Chrome

[ffkom]

Of course it cannot help against a person typing in a domain name manually for the very first time and misspelling the name at that time. But seriously, that is a rare scenario. The much more common fraudster approach is to lure people into following links to intentionally misspelled domain names, and there PKP helps a lot, because the browser can signal you whether you are on a page that you previously pinned the key for, and you will be warned if a page asks you for credentials that you did never visit before.

Plus PKP can defend you against other types of scams, where the real domain name is used, but a fake DNS server or even a man-in-the-middle proxy that tries to break you end-to-end encryption.

Re:A much better solution was removed from Chrome

HPKP was removed because it's hard to use correctly, impossible to recover if certain bad things happen, and therefore almost never deployed. It was not some grand conspiracy to do with advertisers. Using many changing domain names doesnâ(TM)t matter to HPKP, which was designed to prevent attacks on TLS certificates.

Homograph attacks are different domains using visually identical Unicode characters to another legitimate domain to confuse users into thinking they are on the correct site. HPKP prevents attacks on TLS for the same domain. They are two completely different things.

Start Dropping CA's that approve these URLs

[FeelGood314]

This isn't so much a problem for English speakers. We see the URLs as the ASCII characters but eventually ICANN decided to approve punycode https://en.wikipedia.org/wiki/... so we could have URLs in other character sets. The problem is that there are hundreds of character sets and many of these have characters that are visually difficult to distinguish. So now I can have two URLs that might actually be displayed identically in my browser that are actually different. I'm not 100% sure how this could have been avoided. It sucks for the non-english world. It could however have been mitigated if CAs check for URLs that are visually similar to existing URLs and not sign the certs for the new requests. With Certificate Transparency their is no excuse to not have a list of all valid signed URLs.

Wonder who'll do the analysis

[guruevi]

Soundex analysis is easy to do on modern CPU's but it's convenient for them to use it as an excuse to send all URL's to Google for 'analysis'.

On the other hand, I wonder in which direction it will steer if it finds two valid sites with competing viewpoints but with similar sounding names.

Re: Wonder who'll do the analysis

[houghi]

Well, google will look at what side produces more revenue, so that will be the correct website.

If it does not ptoduce any revenue, it therefore must be a fake site.

Didn't Microsoft do that?

[140Mandak262Jamuna]

When you type in download chrome on the IE it prompts, "Did you mean Edge Browser download? Please please pretty please with a bow on try the Edge. If you search using Bing we will give you money too. And please give Cortana a chance. A chance that is all we beg for. "

Awwww...!

[dohzer]

Does this mean the end of www.penisland.net ?

Warning?

[Mr_Silver]

It's not much of a "warning".

They are basically reusing the UI where you type in, say "myserver", Chrome takes you to a Google search for "myserver" but then puts a little bar underneath which says "Did you really mean http://myserver?"

Get rid of DNS

[Hentes]

The only solid way to prevent abuses like this would be to get rid of DNS entirely. With IPv6 there are enough addresses that there is no reason to ever change the IP of a server, which means links could just use direct IP addresses. Browsers should have quick and easy ways to bookmark an IP with a default name offered by the site itself, and should resolve those bookmarks like it was a domain name when the user types them into the address bar. Users couldn't just type in an address they saw on a billboard but everybody uses QR codes for that already so it wouldn't be a problem.

Re:Get rid of DNS

[nitehawk214]

That is quite possibly the stupidest idea I have ever heard. How would a site relocate? How would you tell someone "hey visit site x"?