Web security note

This is about a deception tactic using DNS to make phishing attempts more successful.  Browsers and other tools can represent domain names to contain any character in multi-byte Unicode.  This can be used to spoof domain names.  It’s unfortunately common for someone to be tricked into thinking they’re going somewhere they’re able to confidently identify as friendly or otherwise condone, but are actually redirected to a malicious website.

One with an exhaustive knowledge of “legitimate domain names” might be able to inspect the domain name in a link before following it.  With the advent of Internationalized domain names, unless they have an expert insight into characters and fonts and they won’t even be able to notice a masquerading URL.  Notice in this screenshot the “capital G”  looks kind of small.  That’s because it’s not really a G.  It’s multi-byte Unicode character 0262 masquerading as the normal G, also notice that the rest of the domain name is spelled with all lower case characters, because it makes the small G-ish character more inconspicuous.  It will take you to who knows what malicious phishing scheme site if followed.  No longer can someone just quickly glance at the domain name thinking all of its characters are normal English alphabet characters, now they have to identify “fake characters” as well.  All of this rests on whether or not the browser or other client application being used does automatic Punycode conversion or not.  It’s easy to say “know your tools like the back of your hand”, but with 99.9% of web surfers that’s way too much to ask, and expectations as security measures are poor security measures.  Tools need to be trustworthy and not make it easier to trick the user.

The ability to identify and avoid avoid traps is wrecked with uncertain conditions like browser features and extra standards layers like IDN…  I think there’s an ongoing effort to sabotage the usability of the internet by making it harder to identify traps like phishing attempts.  It’s incredibly cynical and unwise to scoff and claim something like simplicity “is embarrassing” as has been done as an argument for IDNs.  The expansion of allowable TLDs is in the same category of security impacting change as people use alternative domain names to squat on sites people are trying to browse, rerouting them to their site.  It allows for a wider avenue of deception.

The best thing you can do to protect yourself from this is to manually type the URL you trust into the address bar, instead of clicking the link.  Peoples’ natural avoidance of tediousness is being taken advantage of.  Convenience and the ability to be lazy is good.  Simplicity is good, but isn’t always convenient.  Any way to make technology less of a hassle is a good thing, but it’s often a double edge sword and makes avoiding trickery more difficult.  Rounded edges come with a cost.

Leave a Reply