My Viral Box Logo
Ad image
  • Funny Stories
  • Weird Stories
  • Scary Stories
  • Ghost Stories
  • Funny Riddles
  • Short Jokes
Reading: Chrome 58 patches protection against homographic attacks / Geektimes
Share
MYVIRALBOX MYVIRALBOX
Font ResizerAa
  • Funny Stories
  • Weird Stories
  • Funny Riddles
  • Ghost Stories
  • Scary Stories
Search
  • Funny Stories
  • Weird Stories
  • Scary Stories
  • Ghost Stories
  • Funny Riddles
  • Short Jokes
Have an existing account? Sign In
Follow US
© Foxiz News Network. Ruby Design Company. All Rights Reserved.
MYVIRALBOX > Funny Stories > Chrome 58 patches protection against homographic attacks / Geektimes
Funny StoriesWeird Stories

Chrome 58 patches protection against homographic attacks / Geektimes

MyViralBox Staff
Last updated: April 25, 2024 3:35 pm
MyViralBox Staff
Published April 19, 2017
Share
33 Min Read
SHARE

Chrome

The site https: //www.array.com/ has a true SSL certificate (of course, from Let’s Encrypt) and is marked in the browser as ” Reliable site “. But in fact, this is not what you expected to see. It’s just a demonstration of the concept of chrome- that some modern browsers display site names in Unicode instead of Punycode and mislead users.

Punycode is a way to represent Unicode characters in host names using a limited subset of ASCII. As stated in RFC3492, Punycode is an implementation of the more general Bootstring algorithm, where strings composed of a small set of “base” characters (in this case, ASCII), can represent unique strings composed of a larger set of Unicode characters. For example, the domain 短 .co becomes xn--s7y.co.

In the aforementioned domain https: //www.array.com/, the first letter of the host can be replaced with the Cyrillic symbol “a”, the symbol of the Cyrillic alphabet ( U + 0430), and not ASCII (U + 0041). This is an old kind homographic attack, which developers of browsers and registrars of domain names have long struggled with.

In an ideal world, domain registrars should not register domains that allow homographic attacks, and all browsers will normally display host names in Unicode.

Since the world is not perfect, browser developers have implemented their own methods to combat such attacks. In particular, in Chrome from the 51st version and in Firefox from the 22nd version, the domain version in Unicode will be hidden if characters from different alphabets are mixed in the host. For example, if you replace the first letter with a Cyrillic character in www.array.com, the browsers will show the address “xn--pple-43d.com”.

The problem is that this method does not work if the attacker Replaced not a part of the letters, but all letters of the domain to symbols of another alphabet. In the above-mentioned domain of the “apple company” all five characters are replaced with Cyrillic characters. In Punycode, it turns out “xn--80ak6aa92e.com”, but you can see above that the browser does not protect against such an attack.

The faked address is beautifully demonstrated in both Firefox and Chrome of the latest versions. The uppercase Cyrillic “Ӏ” in this font looks exactly like the Latin “l”.

Only if you look at the SSL certificate,

Browsers Internet Explorer and Safari are not affected by this vulnerability. For example, the IE tab immediately displays the name of the site in Punycode.

Fortunately, Chrome developers have prepared a patch that closes this vulnerability. It was originally prepared for the version of Chrome 59, but then decided to include in the composition of Chrome 58, which will be released very soon – April 25. Apparently, after the introduction of this patch, the browser will show the version of Punycode in all “controversial” situations, when there is some probability of phishing, even if the characters belong to the same alphabet. This means that some addresses of Russian sites in Cyrillic, theoretically, will now always be displayed in “ugly” Punycode, and not in “beautiful” Unicode. For example, http: //sahar.com/ will turn into xn-80aa2cbv.com/ .

As for the same patch for Firefox, the situation remains uncertain: the corresponding ticket in Bugzilla was first marked as “closed” and “not executable” (WONTFIX), but now it was reopened . So there is hope that there will be a patch released there as well.

Firefox users only have the opportunity to work around the problem: you can change the setting of network.IDN_show_punycode to true in about: config Setting it to true . Then Firefox will show in the form of Punycode all international IDN domains. Not very elegant, but there is no other option.

Another way to avoid some problems is to use password managers. They will not allow you to enter a saved password on a site that has an address in Punycode that is different from the one stored. Thus, at least you will notice that on the phishing site the saved password is not entered into the form – you can suspect that something is wrong.

In general, you should pay attention to links that are published on web pages or in e-mail messages. There is no such protection, and the addresses of phishing sites can look just like real ones.

MyViralBox Staff
MyViralBox Staff

You Might Also Like

15 Things Mature Women Don’t Do When They Are In A Relationship

Theodore Roosevelt’s Stolen Watch Returns Home After 36 Years!

Top 10 Shocking Facts You Didn’t Know About Sex Things

Funny Boat Names: 131 Ideas To Set Sail with Laughter

Jeff Bezos spends on the development of Blue Origin $ 1 billion per year / Geektimes

Leave a Comment Leave a Comment

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Search Posts

‎‎‎‎‎Explore Our Categories

  • Funny Riddles9
  • Funny Stories524
  • Ghost Stories3
  • Scary Stories20
  • Short Jokes1
  • Weird Stories479
Ad image

Latest added

weird football rivalries
Weird Stories

Weird Football Rivalries: Strange Stories Behind the Game’s Fiercest Feuds

May 14, 2025
most dangerous football derbies
Scary Stories

7 Most Dangerous Football Derbies Worldwide: Intense Rivalries and Risks

May 13, 2025
wonderful Scottish football
Weird Stories

9 weird and wonderful Scottish football moments

May 12, 2025
Weirdest Players in Arsenal FC History
Weird Stories

14 Weirdest Players in Arsenal FC History: Strange Stories and Quirky Characters

May 11, 2025
weird football formations
Weird Stories

7 Weird Football Formations That Actually Worked

May 11, 2025
weird business ideas
Weird Stories

15 Weird Business Ideas That Actually Work

May 3, 2025

Explore More

  • Privacy Policy
  • Submit Your Silly Stories

Follow US on Social Media

Facebook Instagram Pinterest Envelope-open

My Viral Box Logo

About My Viral Box

MyViralBox brings together all the weird, wacky, scary and funny news from around the web in one place to brighten your day. You might scratch your head; you might laugh out loud; you might glance over your shoulder; but you’re gonna have fun whenever you drop by. Funny news, weird news, chill-inducing spookiness, jokes and riddles of all kinds, plus whatever else we come across that we think just has to go viral; you’ll find it all right here!

© My Viral Box. All Rights Reserved.

Welcome Back!

Sign in to your account

Username or Email Address
Password

Lost your password?