back to article That apple.com link you clicked on? Yeah, it's actually Russian

Click this link (don't fret, nothing malicious). Chances are your browser displays "apple.com" in the address bar. What about this one? Goes to "epic.com," right? Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words …

Page:

  1. The Original Steve

    Edge

    Shows the real address in Edge on W10.

    1. Tessier-Ashpool

      Re: Edge

      Real address in macOS 10.12.4, also.

    2. Anonymous Coward
      Anonymous Coward

      Re: Edge

      >We're told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear.

      Wow that's different for a change.

      1. Yet Another Anonymous coward Silver badge

        Re: Edge

        Chrome on chromebook is vulnerable but vivaldi (chrome from the guys that brought you opera) is safe

  2. frank ly

    I'm using Palemoon 27.0.3 on Linux and those first two links have different behaviour. The first one shows as "https://xn--80ak6aa92e.com/" and the second one shows as "https://www.epic.com" when I hover the cursor over it.

    1. VinceH
      Meh

      Looking at them on this Linux Mint box, my RSS reader shows them as https://xn--80ak6aa92e.com and https://www.xn--e1awd7f.com/ respectively.

      My browser (Firefox on this box) shows the first one as the article describes, except for one significant difference: The 'l' looks like a capital I - presumably a side effect of the font in use here, but the important point is that for me it stands out a mile.

      The second one, however, does just look like epic.com

    2. joeW

      Vivaldi 1.8 on Win 7 here - both addresses showing correctly. Quite surprising since its using the Chromium engine, and yet my current version of Chrome is getting bamboozled.

    3. Anonymous Coward
      Anonymous Coward

      Pale Moon 27.2.1 on windaz, same behaviour - The first one shows as "https://xn--80ak6aa92e.com/" and the second one shows as "https://www.epic.com" setting network.IDN_show_punycode to True corrects the display issue.

      1. This post has been deleted by its author

  3. Voland's right hand Silver badge

    AFAIK mozilla had URL checking code

    That decision was criminal in its stupidity. Example: НSВС.com - that is Russian N, S Russian V, Russian S, .com.

    You can create a mixed encoding homophone for nearly anything and it will be virtually indistinguishable from the real thing. Now throw in a certificate and voila - phishing, here it comes.

  4. Anonymous Coward
    Anonymous Coward

    an easy fix for firefox

    is to set network.IDN_show_punycode=true in about:config

    too bad this is not the default.

    1. Alumoi Silver badge
      Pint

      Re: an easy fix for firefox

      Have one on me, I missed this one in my config.

      1. AMBxx Silver badge
        Pint

        Re: an easy fix for firefox

        Lots of beer on its way to you today.

        Anyone know if it's possible to set this in either the registry or AD?

        1. Sloppy Crapmonster

          Re: an easy fix for firefox

          Firefox and AD? No. You *might* be able to use FrontMotion's MSI and group policy extensions but I had to give it up years ago because the extensions weren't keeping up with the features in the browser.

          1. TonyJ

            Re: an easy fix for firefox

            CCK2 - free addon for Firefox that allows you to develop a config.

            Beat me to the punycode config setting though :)

      2. Aus Tech

        I wonder what happens...

        when the browser is updated to a new version?

        Of course, if we ALWAYS type the url into the address bar, we aren't going to have the problem, but when there is a long string of other text after the '/', that's going to be awkward.

    2. Jason Bloomberg Silver badge
      Pint

      Re: an easy fix for firefox

      Many thanks. You have likely saved a lot of people a lot of time in searching for that solution.

    3. Tom 38

      Re: an easy fix for firefox

      This isn't a fix, it is a work around. You fix the problem that you are not mislead by malicious IDNs, but you have a new problem that you cannot see any IDNs.

      It's like someone complaining that their editor doesn't work in Arabic, and being told that the fix is to write in English.

      1. AMBxx Silver badge
        Facepalm

        Re: you cannot see any IDNs.

        You can see it - looks like a load of random text. Perfect for me as no site I need to use is likely to use strangely obfuscated text.

      2. Anonymous Coward
        Anonymous Coward

        Re: an easy fix for firefox

        For most English speakers, not seeing IDNs is likely not much of an issue.

        Maybe a compromise would be that with punycode 'true' it shows the punycode domain name in the address bar to avoid (English speaking) people getting fooled, but the shows proper name when you hover over it if you were i.e. visiting a Russian site.

        1. Tom 38
          FAIL

          Re: an easy fix for firefox

          The 5+ billion people who don't speak it as a first or second language can just go get fucked then?

          1. Anonymous Coward
            Anonymous Coward

            Re: an easy fix for firefox

            Obviously another solution will need to be found for them, but English speakers are likely to be the target of the vast majority of hijacking attempts that use punycode domains masquerading as real ones.

            Is a solution a bad one if it only fixes the majority of the problem, rather than 100% of it?

            1. Tom 38

              Re: an easy fix for firefox

              Obviously another solution will need to be found for them, but English speakers are likely to be the target of the vast majority of hijacking attempts that use punycode domains masquerading as real ones.

              No, you are only thinking of the problems that an anglophone will encounter from homographic IDN attacks, it is still a form of colonialism.

              You haven't considered that due to our earlier anglophone-only internet, most of those non english speakers will actually be using a lot of domains that have english domain names, for instance paypal, google, mpay and so on. A work around that "works" for anglophones, but still allows the remaining 84% of the world to be pwned is not a valid solution.

              For instance, a user in India almost certainly would want punycode on for local websites, but they still won't want to go to xn--mesa-g6d.in thinking it is mpesa.in.

          2. Gordon 15

            Re: an easy fix for firefox

            I don't think 5 billion+ people use the OP's computer. I'd wager that it's probably just him or her and maybe some family members - judging by the post, probably using English in an ISO Latin alphabet.

          3. JLV
            Happy

            Re: an easy fix for firefox

            >can just go get fucked

            Chill, still helps the 100% of commentards here who read English...

      3. joed

        Re: an easy fix for firefox

        If you can't apply the workaround, you'll need to check certificate for sites you really care (let's encrypt cert is a red herring). It sucks that not only urlbar gets spoofed but also noscript sees no harm so drive by is that much more likely to happen (if you apply permanent exceptions to domains you trust).

      4. Deltics
        Joke

        Re: an easy fix for firefox

        But this is still a perfectly valid and complete "fix" for that person if that person only actually wants/needs to write in English.

        Of course, the "fix" for the person who never needs to visit IDN domains is an "it's broken" for someone who does. Isn't it ?

        Which is the real problem, no ?

        But your text editor analogy falls somewhat short. A text editor that does not support Arabic cannot be used to send a document to someone that looks like English but is in fact Arabic.

        "I sent the infidel the instructions for assembling a bomb, and they thought it was a shopping list because I used Arabic that made it look like a list of English words for grocery goods. How surprised will they be when they go out to buy milk and eggs and instead blow up the supermarket ?!"

        :)

    4. Captain DaFt

      Re: an easy fix for firefox

      That fix also works for SeaMonkey. Thanks.

    5. datafabric
      Coat

      Re: an easy fix for firefox

      I'm surprise the author didn't provide the solution at the end of the article. This is El Reg after all or am I asking too much? :-)

      1. diodesign (Written by Reg staff) Silver badge

        Re: Re: an easy fix for firefox

        Thanks - updated the article with the fix info.

        C.

    6. Nifty Silver badge

      Re: an easy fix for firefox

      err... was the genuine about:config?

    7. Nifty Silver badge

      Re: an easy fix for firefox

      In your phishing email:

      "On security grounds the links in this email are not clickable. Instead, please copy and paste the following link instead...."

  5. Sampler

    Simple solution?

    Sorry, this might seem a little simple, but, as we know what characters looks like what in other languages, when some applies to have a domain like raural.com that become paypal.com is to simply flag it as unavailable, just like if someone owns the domain already - surely it wouldn't take much longer for a script checking to see if the domain you wish to buy permeates the unicode and checks all possibilities before returning the results with a big fat "computer says no" when you're trying to spoof a domain.

    Yeah, a few people may end up not being able to get the domain they wish, but let's face it, most people buying a domain face that problem these days anyway as someone's beaten them to all the good names anyway.

    Or am I over simplifying things? I could quite easily be, I'm rather the idiot..

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution?

      you are. under your proposal, a hypothetical corporation peddling nuclear reactor fuel (mox.com) should be able to lock out an equally hypothetical innocent grop of russian lichen-fanciers (мох.ru). The existence of a company website opal.com should not stop a hypothetical local nightclub in the middle of siberia from calling itself ора1.ru, after a little local river. ideally, these hypothetical russian entities should also be able to register their names in the .com or .org namespaces - saying otherwise would strongly imply that some animals are more equal than others.

      most IDN are used entirely innocently, and are a great help in online those of us who do not speak english, or at least another laguage based on the latin alphabet, fluently. making them second-class does not help anybody.

      1. Brangdon

        Re: Simple solution?

        Currently mox.com and mox.ru can both exist, even if owned by different entities. That's the whole point of having different namespaces. Given that, мох.ru should be allowed whether or not mox.com exists, so long as mox.ru doesn't exist.

        If both spellings want the same namespace, as in мох.com and mox.com, then it should be handled as if the spellings were the same. First-come, first-served, or whatever the rule is. That isn't making IDN second class. It is treating them the same as everything else.

      2. Eddy Ito

        Re: Simple solution?

        Could one do a simple check to see if the language in the IDN being used matched that in use by the system and if not give an indicator such as highlight the address bar fuchsia or show an icon if it doesn't?

        1. psychonaut

          Re: Simple solution?

          yeah, but most users wont care. click....click...give me it now!

          "this file will probably fuck your computer and possibly your wife" click proceed to proceed, click back to cancel.

          give me it now! click click....

          they dont read or pay attention to such things

  6. Fazal Majid

    A simple fix

    Would be to block IDN on the .com zone, where the vast majority of attempted impersonation would likely occur.

    1. AMBxx Silver badge

      Re: A simple fix

      I use OpenDNS for DNS on my home office network. I was hoping to see an IDN setting in the options, but no joy.

      I'll just have to stick to blocking all of Eastern Europe for now.

  7. GreggS

    Not just Mac

    Chrome 57.0.2987.133 on W7 shows the incorrect address, but IE11 shows the correct one for the second link and doesn't show or let you click on the first.

    1. Julian Bradfield

      Re: Not just Mac

      The addresses are not incorrect - they are *supposed* to be displayed in cyrillic, that's the whole point!

      1. This post has been deleted by its author

        1. Steve the Cynic

          Re: Not just Mac

          No, they are displayed in Cyrillic that *looks* like Western European. (And that's more or less the whole point of the "attack" - they look like apple, paypal, etc., but aren't.)

  8. Drew 11

    Just another ICANN cockup

    With the launch of IDN equivalent TLD's for CNO along with the newGTLD's, ICANN had an ideal opportunity to fix this problem for good. Instead they made it worse.

    What should have happened: Complete banning of mixing scripts between levels. All IDN's in CNO should have been moved over to their equivalent IDN newGTLD (eg cyrillic .com's should have been grandfathered over to .ком, etc,) and the system returned to only ASCII registrations allowed in the plain old ASCII CNO TLD's.

    Instead, ICANN sat on it's hands and even let mixed scripts proliferate into the ASCII new GTLD's! So now you can register chinese scripts in .xyz. How useful.

    SSAC were asleep at the wheel.

    But don't get me started.

  9. Drew 11

    In fact it's become some a huge mess that Verisign, having successfully applied for 12 transliterations of .com and .net, have only launched two of them - .コム for Japan and .닷컴/.닷넷 for Korea - and that was over a year ago. They have abandoned launching the rest. That would make for an interesting article in itself- why would a powerhouse like Verisign not be able to handle launching the lot of them at the same time, given they're for completely different markets?

  10. djstardust

    Opera Windows 7 64

    Hey there!

    This may or may not be the site you are looking for! This site is obviously not affiliated with Apple, but rather a demonstration of a flaw in the way unicode domains are handled in browsers.

    1. Robert Carnegie Silver badge

      Re: Opera Windows 7 64

      Current Opera is Chrome-related. The web address displays like "apple.com", and if the page wasn't constructed as a message which says that it isn't apple.com then we would be deceived.

  11. Cuddles

    Seems a silly issue

    "different but look almost identical"

    A letter is just a symbol with a certain shape - if two letters look identical, they are identical. It doesn't matter if different languages use that shape in different ways to represent different sounds, the only thing a computer needs to do is display the shape when told to do so; there's absolutely no reason to come up with multiple codes to represent the same shape just because that shape is used in different alphabets.

    And before objections that the letters aren't quite identical and the minor differences justify the different codes, that sort of minor change is a function of font. The difference between a Times New Roman "P", a Comic Sans "P" and a Wingdings "P" is far greater than the difference between an English and a Russian "P". If you want Cyrillic-looking letters you choose a Cyrillic font, if you want Latin letters you choose a Latin font. Defining multiple codes for effectively identical letters really doesn't help matters.

    1. Rob D.

      Re: Seems a silly issue

      So true - the issue is how the user responds to the symbol displayed and not what the computers are using internally to represent it.

      There is a necessary trade-off between making things easy or friendly for the less IT-literate (i.e. most non-IT) people, and giving those same people a risk-proportionate way of avoiding ne'er do wells. The risk is browser makers/writers putting in things like that Firefox IDN punycode default to simultaneously shield users from the details while opening an avenue for said users to be misdirected by the ne'er do wells.

      A typical UK or US English user is unlikely to need a URL to include Cyrillic or other variants of their normal symbols appearing in URLs. Same for typical French or Arabic or other users - that should apply en masse per locale/region and doesn't seem to be a particularly insurmountable technical problem.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems a silly issue

      I'll tell you what. Poke both your eyes out so you're dependent upon a screen reader. Then see if it makes any difference which alphabet is used.

      Hint: symbols that look the same may represent different phonemes in other languages.

      If you still can't figure it out, well you're now blind so you won't be posting any more stupid comments. At least not until you've got the hang of that screen reader.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like