Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Chrome To Get Warnings For 'Lookalike URLs' (zdnet.com)

Posted by msmash on from the better-security dept.

Google Chrome browser is set to add a feature that will warn users when accessing sites with domain names that look like authentic websites. From a report: The feature has been in the works for quite some time at Google and is a response to the practice of using typosquatted domains or IDN homograph attacks to lure users on websites they didn't intend to access. Since the release of Chrome Canary 70, Google engineers have been testing a new feature called "Navigation suggestions for lookalike URLs." In Chrome Canary distributions -- Google Chrome's testing ground for new features -- users can access the following URL to enable the feature: chrome://flags/#enable-lookalike-url-navigation-suggestions.

7 of 40 comments (clear)

  1. If only there was a way to prevent this by Anonymous Coward · · Score: 4, Insightful

    Oh, but that would mean ICANN would make less money.

  2. A much better solution was removed from Chrome by ffkom · · Score: 3, Insightful

    This much better solution was Public Key Pinning. Works great, but is of course not loved by the advertisement industry who wants you to watch content from constantly changing crappy domains.

    1. Re:A much better solution was removed from Chrome by Kvan · · Score: 4, Interesting

      How does PKP help against a typosquatter? These attacks are not on the same domain, but using one that looks the same due to UTF homographs or superficial similarity such as keming issues.

      --

      "A *person* is smart. People are dumb, panicky, dangerous animals and you know it."
      - 'K' in Men in Black.

  3. Start Dropping CA's that approve these URLs by FeelGood314 · · Score: 2

    This isn't so much a problem for English speakers. We see the URLs as the ASCII characters but eventually ICANN decided to approve punycode https://en.wikipedia.org/wiki/... so we could have URLs in other character sets. The problem is that there are hundreds of character sets and many of these have characters that are visually difficult to distinguish. So now I can have two URLs that might actually be displayed identically in my browser that are actually different. I'm not 100% sure how this could have been avoided. It sucks for the non-english world. It could however have been mitigated if CAs check for URLs that are visually similar to existing URLs and not sign the certs for the new requests. With Certificate Transparency their is no excuse to not have a list of all valid signed URLs.

  4. Wonder who'll do the analysis by guruevi · · Score: 3, Insightful

    Soundex analysis is easy to do on modern CPU's but it's convenient for them to use it as an excuse to send all URL's to Google for 'analysis'.

    On the other hand, I wonder in which direction it will steer if it finds two valid sites with competing viewpoints but with similar sounding names.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
  5. Didn't Microsoft do that? by 140Mandak262Jamuna · · Score: 2, Funny

    When you type in download chrome on the IE it prompts, "Did you mean Edge Browser download? Please please pretty please with a bow on try the Edge. If you search using Bing we will give you money too. And please give Cortana a chance. A chance that is all we beg for. "

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  6. Re:Get rid of DNS by nitehawk214 · · Score: 2

    That is quite possibly the stupidest idea I have ever heard. How would a site relocate? How would you tell someone "hey visit site x"?

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust