With a valid TLS certificate, faux Bravė.com could fool even security-savvy people.
Read the whole story
Read the whole story
With help from Google, impersonated Brave.com website pushes malware
- Thread starter JournalBot
- Start date
Because there's lots of languages that cannot be represented using ASCII.
Having said that, what would be useful is for punycode to be disabled by default for languages that can be adequately represented without it, e.g. English. But that doesn't help the muggles fluent only in non-ASCII-able languages.
The sad fact is that bad actors will always find a way.
Upvote
133
(145
/
-12)
Because not every domain is intended for english speakers.
Here's how to set Firefox to show punycode rather than unicode characters. https://www.tenforums.com/tutorials/104 ... ndows.html
Upvote
144
(145
/
-1)
Well, mainly because the world is a bit more international than ASCII can handle. There's a huge difference for Spanish-speakers between diezaños.com (tenyears.com) and diezanos.com (tenbuttholes.com). I'm sure with other languages there can be even more extreme examples. And that's before we consider non-Latin script users among the world. Accommodating them effectively requires a Unicode derived system which will, in turn, also include Latin diacritics.
There are some tools that can sniff out potentially misleading URLs by using a variety of heuristics (e.g. all Latin except for one Cyrillic/Greek letter, and that one is known to be potentially confused with a Latin one). If a browser gets one of these URLs with mixed scripts or diacritics, it might be a good idea to check if it's rather similar to a top 1000 (or 10k, or 100k, etc) domain, and alert the user of a potential phishing attempt in such case.
Upvote
300
(308
/
-8)
Registering the SSL certs should have shown up in certificate transparency reports, so it might have been easier to detect them there rather than scanning DNS reports. Would be interesting to see if that shows up anything fun in the punycode space...
Upvote
30
(30
/
0)
Mandatory "Firefox has addressed this" note:
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/
https://ma.ttias.be/show-idn-punycode-f ... hing-urls/
Upvote
88
(90
/
-2)
Golly, why would someone go to a website they believed was hosting the download for a browser that was explicitly designed to block ads without an adblocker installed?
Truly it is a mystery for the ages.
Upvote
184
(191
/
-7)
Thanks for giving a meaningful example.
I just think it is a bit too late to leave all of that to the browser without any effort at the registry. Actually my language is one of those with couple special characters and the top level domain for .cz has this disabled on purpose.
I still think that registering domain with similar names as a block could be some form of due diligence on the side of registry. The special characters expands the domain space greatly without any regard to the distance between any 2 domains. Something like this already exists at the end as you say, but it is slapped on the browsers who are expected to fix everything
Upvote
30
(40
/
-10)
True, but I disagree. I think the host/domain/tld portions of domains should be restricted to the same single character set. If you want a domain in .рф then you have to use Cyrillic or if you want a domain in .中国 then you have to use Chinese, otherwise you could end up with URLs like this:
in 5 languages...
edited to add: current Firefox and Chrome don't like that URL, but that doesn't mean it won't be valid based on the recent history of the standards bodies...also, don't transate it if you don't want to be offended.
Upvote
51
(60
/
-9)
How does this behave if the OS/Browser language is in ISO/IEC 8859-5 (cyrillic), and the oddball characters are the ones in ISO/IEC 8859-1 (english)? I use cyrillic as an example because I can't read it, and wouldn't recognise punycode in the middle of a cyrillic domain name even if it was highlighted in red, and blinking.
Upvote
13
(17
/
-4)
Most of such attacks can be detected, it's just companies don't really care that much (to say lightly). Cyrillic symbols used to be quite popular -- you can't really tell difference if it's "e" or "е" in many, _many_ fonts. There are "equivalency" tables. So you can check, if web-site in "equivalent" ascii spelling is already registered and don't let robots issue certificates or even register a web site if organization doesn't match. Tadaaaa, 99.99% of all such phishing attempts will be auto-solved.
Non-ascii domains' only purpose at this stage is to limit who can access them. For any non-native user there is no easy way to type in non-ascii domain. You have to actively look for online keyboard, or copy-paste individual symbols, etc. Incidentally similar problem exists for native users that are outside of their home country. If I have to type in fully Cyrillic domain while using internet kiosk somewhere in UK, it'd be a big pain in the ass.
Non-ascii domains' only purpose at this stage is to limit who can access them. For any non-native user there is no easy way to type in non-ascii domain. You have to actively look for online keyboard, or copy-paste individual symbols, etc. Incidentally similar problem exists for native users that are outside of their home country. If I have to type in fully Cyrillic domain while using internet kiosk somewhere in UK, it'd be a big pain in the ass.
Upvote
40
(44
/
-4)
That's quite helpful for the few of us who actually USE Firefox, thanks for that.
I can't speak to everyone (obviously), but over the years, and after having come across a lot of disguised URL's that said one thing but led to another place, I developed the habit of hovering to get the URL pop-up at the bottom of the browser before clicking on it.
Even today, it aggravates me that Google hides the actual URL's within its embedded spy-on-you bullshit links instead of getting a clean link to the site I want to go to (which I typically then type into the address bar instead of using Google's link). But this punycode url spoof still wouldn't have worked very well with me, since I habitually check where I'm going before I click, and check the URL when I arrive.
Seeing the actual punycode in the URL is obviously going to blatantly reveal the scam here, but even if it was the ASCII equivalent with accents and such, I'd notice them every time simply because I look for weird things in links I click. Having taken German in the past, and having a passing familiarity with Spanish, I know when letters aren't in the Latin alphabet, and aren't used in the English language.
I know this doesn't apply to "everyone", but making habits out of routine things (like checking on the links one wants to click) makes it pretty automatic if you do that consistently. Even if you don't want to do it all the time, at least when looking for programs and such that you might want to install, it's always good idea to be certain you're at the correct site before clicking on anything there.
Especially if clicking on an offering from any search.
Upvote
41
(45
/
-4)
I and probably most other Ars commenters block ads and trackers on all websites. I, like you, subscribe to Ars because I value its in-depth, high-quality coverage. (Plus, the full-text RSS feeds are really nice.)
It’s the website’s job to implement technical measures to maintain its revenue stream. I have no obligation to execute some random JavaScript function from doubleclick.com just because wired.com asks my browser to do so. If a website is concerned about losing revenue from users who block ads, then it should implement some sort of account system and lock its content behind a paywall. No one has a right to make money.
Upvote
86
(100
/
-14)
It could even be automated. Strip diacritics, check name. If it exists, reject Punycode registration. Should probably be part of a future punycode spec.
Upvote
21
(24
/
-3)
I don’t think that that would work here. The attacker has full ownership of the punycode domain, so they can easily register a completely valid TLS certificate for that domain. At a technical level, there’s no actual impersonation occurring. That’s what’s so devious about this particular attack method.
Upvote
85
(86
/
-1)
Unfortunately, malvertisements can and will strike anywhere. Ad blocking is a security layer.
Upvote
97
(98
/
-1)
The problem also with ads is they are out of the sites control so the ads on a website could contain malicious code as well.
Upvote
21
(22
/
-1)
For the downvoters... not saying this is foolproof (no single check is ever foolproof) - but notice the missing "https" address in both illustrations used in this article. Of course, a fake Brave site can apply for a security certificate too, but chances are it probably wouldn't, risking vetting and trace back:
It's not hard at all to get a certificate for a fake site that you control. Just use Let's Encrypt. As long as you can demonstrate (to an automated system) that you control the domain (via ability to do certain things to the web server, the DNS, or some other more obscure methods), you can get a certificate. All a certificate does is secure the connection between the client and the server. It says nothing about the trustworthiness of either party. The certificate policy and practice statement matter if you think that some special level of vetting is being performed, but I'm pretty sure that virtually no users read those documents.
Upvote
66
(66
/
0)
A prime example of why adblockers are necessary - they are for your own safety.
Upvote
31
(38
/
-7)
Do you think certs are manually vetted and someone decides if you're worthy of one? They definitely aren't. I have certs for a handful of names I own and one or two people ever make any use of. And they're free. No one is manually vetting me. There's a simple automated system to demonstrate that I own the server that name resolves to and that's it. All you need is an email address, which can certainly be as anonymous as the webserver getting the cert.
For the downvoters... not saying this is foolproof (no single check is ever foolproof) - but notice the missing "https" address in both illustrations used in this article. Of course, a fake Brave site can apply for a security certificate too, but chances are it probably wouldn't, risking vetting and trace back:
Upvote
47
(47
/
0)
Upvote
25
(29
/
-4)
Well, don't ad blockers have a setting to remove malicious ads only? I know my endpoint security suite does.
If you're blocking literally everything, then i think it's a bit of a stretch to call it "security". It feels a bit more like a convenient excuse.
AdBlocking prevents remote code execution of untrusted content from 3rd parties. I also call that security. It is also this bussiness model that breaks the world by building constant surveillance. It is high time that we as a society come up eith better one before it destroys us
Upvote
74
(77
/
-3)
The second image is actually showing an HTTPS URL, it's just hidden and the lock is shown instead
For the downvoters... not saying this is foolproof (no single check is ever foolproof) - but notice the missing "https" address in both illustrations used in this article. Of course, a fake Brave site can apply for a security certificate too, but chances are it probably wouldn't, risking vetting and trace back:
Upvote
48
(48
/
0)
Just to reiterate, the heuristics for detecting this kind of attack are relatively straightforward. I’m thinking that ‘fake host detection’ should be a default option in your favorite browser.
Upvote
-8
(1
/
-9)
Looking for non-english letters [edit: with your own eyes] doesn't help much with e.g. https://www.аррӏе.com
Upvote
17
(18
/
-1)
Do you actually not just click on ads but constantly go and purchase everything you see advertised? You're not doing anyone much good by contributing to lower click through rates. Get off your high horse. If you want to support people who make websites, pay them.
Upvote
11
(25
/
-14)
Honestly I'm surprised it's taken four years since Dan first reported on these kind of punycode attacks to see an notable implementation in the wild.
https://meincmagazine.com/information-tec ... -you-want/
https://meincmagazine.com/information-tec ... -you-want/
Upvote
14
(14
/
0)
I wish there were a option to disallow connecting to URLs with weird characters (customizable, but by default english alphabet + those letters used for the current localization + the common special characters like :,/,&,-,_ etc).
Wouldn't this be a simple solution to such spoofing?
Wouldn't this be a simple solution to such spoofing?
Upvote
-6
(7
/
-13)
On the bright side, at least there was some link to the Brave browser in Google search.
That's more than ProtonMail got some years ago on Google. /s
That's more than ProtonMail got some years ago on Google. /s
Upvote
9
(9
/
0)
Well, when I call AT&T (or whomever) about something specific, and they start giving me their spews about other fabulous programs they have, I actually do cut them off.
I do plan on subscribing to Ars. And you betcha I will continue using my adblocker!
Upvote
19
(24
/
-5)
Except how often do you type an url? I don't type them often, mostly clicking a link from a search result or bookmark. And I'm sure all those people who write in cryillic just love having to type only in ascii even if the words then don't make sense in their language.
I would argue that if you have to type a cryillic url (because someone told you the address) you either know cryillic and would know how to type it or your not going to have a chance at even knowing what character you need to copy and paste.
Upvote
13
(13
/
0)
I had a user get bitten by this yesterday trying to go to Amazon. She typed "amazon" in the search bar, clicked on the ad at the top of the resulting Google results, and the "your computer is locked - call Microsoft support immediately" scam screen popped up. I was eventually able to get back to the original Google search results and examine the link in the ad. I even had this type of attack in mind when I was looking at her machine, but the URL appeared as "www.amazon.com" without diacritical marks when moused over, but when I clicked it, it went to the scam site again. When I clicked the search result instead of the ad, it went to Amazon as expected, so there was no DNS hijacking involved. I'm not sure how someone would avoid something like that, short of an ad blocker, or just a general policy of not clicking on the ad in search results.
Upvote
55
(55
/
0)