[Lista Criptica] Punycode

Delete this message

Reply to this message
Author: Charlie
Date:  
To: Criptica - Lista de socios temporal
Subject: [Lista Criptica] Punycode
Echadle un ojo:

https://arstechnica.com/security/2017/04/chrome-firefox-and-opera-users-beware-this-isnt-the-apple-com-you-want/?comments=1

Punycode makes it possible to register domains with foreign characters.
It works by converting individual domain label to an alternative format
using only ASCII characters. For example, the domain "xn--s7y.co" is
equivalent to "短.co".

>From a security perspective, Unicode domains can be problematic because

many Unicode characters are difficult to distinguish from common ASCII
characters. It is possible to register domains such as
"xn--pple-43d.com", which is equivalent to "аpple.com". It may not be
obvious at first glance, but "аpple.com" uses the Cyrillic "а" (U+0430)
rather than the ASCII "a" (U+0061). This is known as a homograph attack.

The homograph protection mechanism in Chrome, Firefox, and Opera
unfortunately fails if every characters is replaced with a similar
character from a single foreign language. The domain "аррӏе.com",
registered as "xn--80ak6aa92e.com", bypasses the filter by only using
Cyrillic characters. You can check this out yourself in the
proof-of-concept using Chrome, Firefox, or Opera.

Visually, the two domains are indistinguishable due to the font used by
Chrome and Firefox. As a result, it becomes impossible to identify the
site as fraudulent without carefully inspecting the site's URL or SSL
certificate. This Go program nicely demonstrates the difference between
the two sets of characters. Safari, along with several less mainstream
browsers are fortunately not vulnerable.