back to article That apple.com link you clicked on? Yeah, it's actually Russian

Click this link (don't fret, nothing malicious). Chances are your browser displays "apple.com" in the address bar. What about this one? Goes to "epic.com," right? Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words …

  1. The Original Steve

    Edge

    Shows the real address in Edge on W10.

    1. Tessier-Ashpool

      Re: Edge

      Real address in macOS 10.12.4, also.

    2. Anonymous Coward
      Anonymous Coward

      Re: Edge

      >We're told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear.

      Wow that's different for a change.

      1. Yet Another Anonymous coward Silver badge

        Re: Edge

        Chrome on chromebook is vulnerable but vivaldi (chrome from the guys that brought you opera) is safe

  2. frank ly

    I'm using Palemoon 27.0.3 on Linux and those first two links have different behaviour. The first one shows as "https://xn--80ak6aa92e.com/" and the second one shows as "https://www.epic.com" when I hover the cursor over it.

    1. VinceH Silver badge
      Meh

      Looking at them on this Linux Mint box, my RSS reader shows them as https://xn--80ak6aa92e.com and https://www.xn--e1awd7f.com/ respectively.

      My browser (Firefox on this box) shows the first one as the article describes, except for one significant difference: The 'l' looks like a capital I - presumably a side effect of the font in use here, but the important point is that for me it stands out a mile.

      The second one, however, does just look like epic.com

    2. joeW Silver badge

      Vivaldi 1.8 on Win 7 here - both addresses showing correctly. Quite surprising since its using the Chromium engine, and yet my current version of Chrome is getting bamboozled.

    3. Anonymous Coward
      Anonymous Coward

      Pale Moon 27.2.1 on windaz, same behaviour - The first one shows as "https://xn--80ak6aa92e.com/" and the second one shows as "https://www.epic.com" setting network.IDN_show_punycode to True corrects the display issue.

      1. This post has been deleted by its author

  3. Voland's right hand Silver badge

    AFAIK mozilla had URL checking code

    That decision was criminal in its stupidity. Example: НSВС.com - that is Russian N, S Russian V, Russian S, .com.

    You can create a mixed encoding homophone for nearly anything and it will be virtually indistinguishable from the real thing. Now throw in a certificate and voila - phishing, here it comes.

  4. Anonymous Coward
    Anonymous Coward

    an easy fix for firefox

    is to set network.IDN_show_punycode=true in about:config

    too bad this is not the default.

    1. Alumoi
      Pint

      Re: an easy fix for firefox

      Have one on me, I missed this one in my config.

      1. AMBxx Silver badge
        Pint

        Re: an easy fix for firefox

        Lots of beer on its way to you today.

        Anyone know if it's possible to set this in either the registry or AD?

        1. Sloppy Crapmonster

          Re: an easy fix for firefox

          Firefox and AD? No. You *might* be able to use FrontMotion's MSI and group policy extensions but I had to give it up years ago because the extensions weren't keeping up with the features in the browser.

          1. TonyJ Silver badge

            Re: an easy fix for firefox

            CCK2 - free addon for Firefox that allows you to develop a config.

            Beat me to the punycode config setting though :)

      2. Aus Tech

        I wonder what happens...

        when the browser is updated to a new version?

        Of course, if we ALWAYS type the url into the address bar, we aren't going to have the problem, but when there is a long string of other text after the '/', that's going to be awkward.

    2. Jason Bloomberg Silver badge
      Pint

      Re: an easy fix for firefox

      Many thanks. You have likely saved a lot of people a lot of time in searching for that solution.

    3. Tom 38 Silver badge

      Re: an easy fix for firefox

      This isn't a fix, it is a work around. You fix the problem that you are not mislead by malicious IDNs, but you have a new problem that you cannot see any IDNs.

      It's like someone complaining that their editor doesn't work in Arabic, and being told that the fix is to write in English.

      1. AMBxx Silver badge
        Facepalm

        Re: you cannot see any IDNs.

        You can see it - looks like a load of random text. Perfect for me as no site I need to use is likely to use strangely obfuscated text.

      2. DougS Silver badge

        Re: an easy fix for firefox

        For most English speakers, not seeing IDNs is likely not much of an issue.

        Maybe a compromise would be that with punycode 'true' it shows the punycode domain name in the address bar to avoid (English speaking) people getting fooled, but the shows proper name when you hover over it if you were i.e. visiting a Russian site.

        1. Tom 38 Silver badge
          FAIL

          Re: an easy fix for firefox

          The 5+ billion people who don't speak it as a first or second language can just go get fucked then?

          1. DougS Silver badge

            Re: an easy fix for firefox

            Obviously another solution will need to be found for them, but English speakers are likely to be the target of the vast majority of hijacking attempts that use punycode domains masquerading as real ones.

            Is a solution a bad one if it only fixes the majority of the problem, rather than 100% of it?

            1. Tom 38 Silver badge

              Re: an easy fix for firefox

              Obviously another solution will need to be found for them, but English speakers are likely to be the target of the vast majority of hijacking attempts that use punycode domains masquerading as real ones.

              No, you are only thinking of the problems that an anglophone will encounter from homographic IDN attacks, it is still a form of colonialism.

              You haven't considered that due to our earlier anglophone-only internet, most of those non english speakers will actually be using a lot of domains that have english domain names, for instance paypal, google, mpay and so on. A work around that "works" for anglophones, but still allows the remaining 84% of the world to be pwned is not a valid solution.

              For instance, a user in India almost certainly would want punycode on for local websites, but they still won't want to go to xn--mesa-g6d.in thinking it is mpesa.in.

          2. Gordon 15

            Re: an easy fix for firefox

            I don't think 5 billion+ people use the OP's computer. I'd wager that it's probably just him or her and maybe some family members - judging by the post, probably using English in an ISO Latin alphabet.

          3. JLV Silver badge
            Happy

            Re: an easy fix for firefox

            >can just go get fucked

            Chill, still helps the 100% of commentards here who read English...

      3. joed

        Re: an easy fix for firefox

        If you can't apply the workaround, you'll need to check certificate for sites you really care (let's encrypt cert is a red herring). It sucks that not only urlbar gets spoofed but also noscript sees no harm so drive by is that much more likely to happen (if you apply permanent exceptions to domains you trust).

      4. Deltics
        Joke

        Re: an easy fix for firefox

        But this is still a perfectly valid and complete "fix" for that person if that person only actually wants/needs to write in English.

        Of course, the "fix" for the person who never needs to visit IDN domains is an "it's broken" for someone who does. Isn't it ?

        Which is the real problem, no ?

        But your text editor analogy falls somewhat short. A text editor that does not support Arabic cannot be used to send a document to someone that looks like English but is in fact Arabic.

        "I sent the infidel the instructions for assembling a bomb, and they thought it was a shopping list because I used Arabic that made it look like a list of English words for grocery goods. How surprised will they be when they go out to buy milk and eggs and instead blow up the supermarket ?!"

        :)

    4. Captain DaFt

      Re: an easy fix for firefox

      That fix also works for SeaMonkey. Thanks.

    5. datafabric
      Coat

      Re: an easy fix for firefox

      I'm surprise the author didn't provide the solution at the end of the article. This is El Reg after all or am I asking too much? :-)

      1. diodesign (Written by Reg staff) Silver badge

        Re: Re: an easy fix for firefox

        Thanks - updated the article with the fix info.

        C.

    6. Nifty

      Re: an easy fix for firefox

      err... was the genuine about:config?

    7. Nifty

      Re: an easy fix for firefox

      In your phishing email:

      "On security grounds the links in this email are not clickable. Instead, please copy and paste the following link instead...."

  5. Sampler

    Simple solution?

    Sorry, this might seem a little simple, but, as we know what characters looks like what in other languages, when some applies to have a domain like raural.com that become paypal.com is to simply flag it as unavailable, just like if someone owns the domain already - surely it wouldn't take much longer for a script checking to see if the domain you wish to buy permeates the unicode and checks all possibilities before returning the results with a big fat "computer says no" when you're trying to spoof a domain.

    Yeah, a few people may end up not being able to get the domain they wish, but let's face it, most people buying a domain face that problem these days anyway as someone's beaten them to all the good names anyway.

    Or am I over simplifying things? I could quite easily be, I'm rather the idiot..

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple solution?

      you are. under your proposal, a hypothetical corporation peddling nuclear reactor fuel (mox.com) should be able to lock out an equally hypothetical innocent grop of russian lichen-fanciers (мох.ru). The existence of a company website opal.com should not stop a hypothetical local nightclub in the middle of siberia from calling itself ора1.ru, after a little local river. ideally, these hypothetical russian entities should also be able to register their names in the .com or .org namespaces - saying otherwise would strongly imply that some animals are more equal than others.

      most IDN are used entirely innocently, and are a great help in online those of us who do not speak english, or at least another laguage based on the latin alphabet, fluently. making them second-class does not help anybody.

      1. Brangdon

        Re: Simple solution?

        Currently mox.com and mox.ru can both exist, even if owned by different entities. That's the whole point of having different namespaces. Given that, мох.ru should be allowed whether or not mox.com exists, so long as mox.ru doesn't exist.

        If both spellings want the same namespace, as in мох.com and mox.com, then it should be handled as if the spellings were the same. First-come, first-served, or whatever the rule is. That isn't making IDN second class. It is treating them the same as everything else.

      2. Eddy Ito Silver badge

        Re: Simple solution?

        Could one do a simple check to see if the language in the IDN being used matched that in use by the system and if not give an indicator such as highlight the address bar fuchsia or show an icon if it doesn't?

        1. psychonaut

          Re: Simple solution?

          yeah, but most users wont care. click....click...give me it now!

          "this file will probably fuck your computer and possibly your wife" click proceed to proceed, click back to cancel.

          give me it now! click click....

          they dont read or pay attention to such things

  6. Fazal Majid

    A simple fix

    Would be to block IDN on the .com zone, where the vast majority of attempted impersonation would likely occur.

    1. AMBxx Silver badge

      Re: A simple fix

      I use OpenDNS for DNS on my home office network. I was hoping to see an IDN setting in the options, but no joy.

      I'll just have to stick to blocking all of Eastern Europe for now.

  7. GreggS

    Not just Mac

    Chrome 57.0.2987.133 on W7 shows the incorrect address, but IE11 shows the correct one for the second link and doesn't show or let you click on the first.

    1. Julian Bradfield

      Re: Not just Mac

      The addresses are not incorrect - they are *supposed* to be displayed in cyrillic, that's the whole point!

      1. This post has been deleted by its author

        1. Steve the Cynic

          Re: Not just Mac

          No, they are displayed in Cyrillic that *looks* like Western European. (And that's more or less the whole point of the "attack" - they look like apple, paypal, etc., but aren't.)

  8. Drew 11

    Just another ICANN cockup

    With the launch of IDN equivalent TLD's for CNO along with the newGTLD's, ICANN had an ideal opportunity to fix this problem for good. Instead they made it worse.

    What should have happened: Complete banning of mixing scripts between levels. All IDN's in CNO should have been moved over to their equivalent IDN newGTLD (eg cyrillic .com's should have been grandfathered over to .ком, etc,) and the system returned to only ASCII registrations allowed in the plain old ASCII CNO TLD's.

    Instead, ICANN sat on it's hands and even let mixed scripts proliferate into the ASCII new GTLD's! So now you can register chinese scripts in .xyz. How useful.

    SSAC were asleep at the wheel.

    But don't get me started.

  9. Drew 11

    In fact it's become some a huge mess that Verisign, having successfully applied for 12 transliterations of .com and .net, have only launched two of them - .コム for Japan and .닷컴/.닷넷 for Korea - and that was over a year ago. They have abandoned launching the rest. That would make for an interesting article in itself- why would a powerhouse like Verisign not be able to handle launching the lot of them at the same time, given they're for completely different markets?

  10. djstardust

    Opera Windows 7 64

    Hey there!

    This may or may not be the site you are looking for! This site is obviously not affiliated with Apple, but rather a demonstration of a flaw in the way unicode domains are handled in browsers.

    1. Robert Carnegie Silver badge

      Re: Opera Windows 7 64

      Current Opera is Chrome-related. The web address displays like "apple.com", and if the page wasn't constructed as a message which says that it isn't apple.com then we would be deceived.

  11. This post has been deleted by a moderator

  12. Cuddles Silver badge

    Seems a silly issue

    "different but look almost identical"

    A letter is just a symbol with a certain shape - if two letters look identical, they are identical. It doesn't matter if different languages use that shape in different ways to represent different sounds, the only thing a computer needs to do is display the shape when told to do so; there's absolutely no reason to come up with multiple codes to represent the same shape just because that shape is used in different alphabets.

    And before objections that the letters aren't quite identical and the minor differences justify the different codes, that sort of minor change is a function of font. The difference between a Times New Roman "P", a Comic Sans "P" and a Wingdings "P" is far greater than the difference between an English and a Russian "P". If you want Cyrillic-looking letters you choose a Cyrillic font, if you want Latin letters you choose a Latin font. Defining multiple codes for effectively identical letters really doesn't help matters.

    1. Rob D.

      Re: Seems a silly issue

      So true - the issue is how the user responds to the symbol displayed and not what the computers are using internally to represent it.

      There is a necessary trade-off between making things easy or friendly for the less IT-literate (i.e. most non-IT) people, and giving those same people a risk-proportionate way of avoiding ne'er do wells. The risk is browser makers/writers putting in things like that Firefox IDN punycode default to simultaneously shield users from the details while opening an avenue for said users to be misdirected by the ne'er do wells.

      A typical UK or US English user is unlikely to need a URL to include Cyrillic or other variants of their normal symbols appearing in URLs. Same for typical French or Arabic or other users - that should apply en masse per locale/region and doesn't seem to be a particularly insurmountable technical problem.

    2. Anonymous Coward
      Anonymous Coward

      Re: Seems a silly issue

      I'll tell you what. Poke both your eyes out so you're dependent upon a screen reader. Then see if it makes any difference which alphabet is used.

      Hint: symbols that look the same may represent different phonemes in other languages.

      If you still can't figure it out, well you're now blind so you won't be posting any more stupid comments. At least not until you've got the hang of that screen reader.

    3. Anonymous Coward
      Anonymous Coward

      Re: Seems a silly issue

      A letter is just a symbol with a certain shape - if two letters look identical, they are identical

      OK, then answer this simple question: does "C" come before "P"? What about "С" and "Р"?

      (a hint: The first pair is in a Latin script; the second is in a Cyrillic script).

      Lexicographical sorting is pretty fundamental for many uses of computers; having a common namespace for most of the world's living languages (e.g. unicode) makes it much more manageable. An alternative would be to attach a code page to every snippet of text. This is possible, and has been done before - but if you ever had to deal with a code page-based representation of a multilingual text, you will likely find the unicode solution much more pleasant to deal with.

  13. Captain Badmouth
    Holmes

    win7 FF 52.0.2

    Yep, both show normal in win7. My old xp box with FF52.0.2 in a sandbox shows https://www.аррӏе.com/ in the address bar for the first and normal for the second one. Plug pulled from xp box, quick !

  14. druck Silver badge
    Stop

    Chrome/Chromium

    Although there is no fix such as turning off punycode in Chrome/Chromium, if you are running ScriptSafe it will show you the real URL - and hopefully will have blocked anything nasty the fake site is trying to do.

  15. Anonymous Coward
    Anonymous Coward

    Incidentally...

    When you copy and try and paste the link in the article into WhatsApp it crashes WhatsApp. Weird.

    http://аррӏе.com/

  16. Gnosis_Carmot

    Vivaldi and Brave (Chromium based) didn't show apple and epic

    They showed the gobbledegook domain names. Chrome went ahead and showed the bogus names.

  17. DougS Silver badge

    Why is this difficult?

    If I have my language set to English, I should not display domains using Cyrillic characters. If I have my language set to Russian, I should.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why is this difficult?

      If I have my language set to English, I should not display domains using Cyrillic characters. If I have my language set to Russian, I should.

      What if I have several windows (or even tabs) in several languages? For example, I have no trouble reading English, German, French, and Russian - and I would frequently have tabs open in at least two of those at the same time. Why should I not be allowed to conveniently use the languages I do understand?

      1. veti Silver badge

        Re: Why is this difficult?

        If you routinely browse in multiple languages, then you're sufficiently unusual that it's not unreasonable to expect you to be the one who has to do something different.

        Like, maintain a separate browser window for each language. To me that doesn't sound too big an imposition. Note that you could still read Russian pages in your English-language browser window, except for the Cyrillic URLs. If you want to read those, you'd have to switch the native language in your current session.

        1. Rob - Denmark

          Re: Why is this difficult?

          "If you routinely browse in multiple languages, then you're sufficiently unusual that it's not unreasonable to expect you to be the one who has to do something different.

          Like, maintain a separate browser window for each language. To me that doesn't sound too big an imposition."

          That's only because you haven't tried it in real life.

          I just got an e-mail with an update to an order i placed before Easter. The e-mail is in Danish. When I click the link, should I choose the English or the Danish browser? (Turns out, the website is in English, despite the Danish e-mail).

          http://www.logitech.com - better use my English browser. Turns out, Logitech detects my location and redirects me to http://www.logitech.com/da-dk, so now I have to switch to my Danish browser?

          Visiting Lenovo's Support site, I end up on http://support.lenovo.com/dk/en (DK for Denmark but EN for English, since the language on the support site is in English. So English or Danish browser?

          And yes, we have domains with special Danish letters: Æ, Ø og Å.

        2. Anonymous Coward
          Anonymous Coward

          Re: Why is this difficult?

          If you routinely browse in multiple languages, then you're sufficiently unusual ...

          Unusual? I don't think so.

          If anything, I speak fewer languages than nearly every person around me; I am handicapped by growing up in a country large enough and chauvinistic enough to insist on not giving its children a meaningful second- and third- language education (or even casual foreign-language exposure) until you reach the university. As the result, I had to pick up my foreign languages as an adult - which unfortunately means that I will never entirely get rid of my accent, even when I am otherwise as proficient as a native speaker would be.

          In almost every European country, it is completely normal and in fact expected that a moderately well-educated person will speak multiple languages. It is a uni-lingual person who is an aberration.

  18. This post has been deleted by its author

  19. Bob Rocket

    Simple solution

    'The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language'

    The Internet should be in (British)English only, it will do Johnny Foreigner no end of good to learn a proper language.

  20. Bucky 2

    You're never going to be able to save the unwise from themselves. But there are some things you can do.

    Your browser already knows what languages you speak (because you can tell it). So:

    If you have a domain that uses glyphs from a language you do not speak, it could appear differently (color, font, or accompanying icon).

    If you have a domain that uses glyphs from a mixture of different languages, it could appear differently (different color again, different font again, another accompanying icon).

    In neither case do you actually need to break punycode.

    1. Ken Hagan Gold badge

      You mean "scripts" rather than "languages" but, yes, I suspect that this is how the issue will be resolved.

      I believe there is some opposition to this on the grounds that several thousand people have legitimate registrations that would be classified as "mixed" under your rules and would therefore be penalised despite doing nothing wrong. Yeah, sad, but sometimes a few shits spoil things for everyone else and I think this is one of those times.

  21. Lotaresco

    Glyphs from a mixture of different languages would be silly

    ʘ︡ᴥʘ︠

  22. Trigonoceps occipitalis

    Click this link (don't fret, nothing malicious).

    Yes, and I'm a Nigerian Prince looking for somewhere to lodge £380 million or so, no, honestly.

    Good opening line for a tech site!

  23. nagyeger

    Show BOTH?

    Why don't browsers show BOTH? (punycode first, with some note about the alphabets in use)

  24. Twilight

    It's interesting that Chrome 57 is broken. I found a note on the Chromium project that Chrome 51+ should display punycode (rather than the IDN characters) if latin is mixed with either cyrillic or greek (or cyrillic and greek are mixed). Apparently this isn't actually happening (never actually implemented? bug?).

    It's also rather disappointing that Chrome has no way to turn off the display of non-english characters in URLs (it's not a fix but it would be far safer for me since I very rarely go to any sites with non-english URLs).

  25. Gritzwally Philbin
    Holmes

    Mac OS X 10.6.8 running SeaMonkey 2.38 shows the real address.. https://www.xn--80ak6aa92e.com/ the second link gives the fake epic.com address.

    Hmmm. Interesting. This is sort of why I only click links that are in certain email messages - like The Register and a few other sites I am subbed to. None however are tied to anything that deals with putting in any financial info.

    Any site I use that is linked to my credit card or banking, is entered manually.

    End of story.

    1. Anonymous Coward
      Anonymous Coward

      I hope you've applied the NTP and Bash fixes to Snow Leopard, Gritzwally.

      i prefer 10.6.8 myself, but lack of a decent browser killed my experience ..

  26. Anonymous Coward
    Anonymous Coward

    Chrome 58 is out now. It shows apple.com and epic.com correctly. (A few minutes ago, 57 on my computer showed them as bogus URLs).

  27. VinceLortho
    Linux

    Got Linux?

    Chrome 58.0.3029.81 (64-bit) on Ubuntu 16.04 LTS displays the sample URLs as random letters.

  28. stewate4

    Does this affect links in Thunderbird email messages?

    1. stewate4

      Checked it for myself, and yes it does (fixed with the same fix as for Thunderbird)

  29. Emily Taylor

    IDNs need to be seen as an access issue, not a security threat!

    The real problem with IDNs is the lack of so-called universal acceptance - the ability to use an IDN seamlessly in any context that a traditional domain name would be used, such as email, web browsers, user account identifiers, URLs in content, certificates etc. The view that IDNs present a security threat risks inhibiting the essential work that is required to fix universal acceptance.

    More than half the world's population does not currently have access to the Internet. Many of those people are not familiar with the Latin alphabet, which forms the basis of traditional domain names - as your piece points out. Language is an access issue: English is still the language of more than 50% of web content. A person who cannot speak English is statistically less likely to be online or to own a computer. Research shows that IDNs are more likely to be associated with linguistically diverse content than traditional domain names (http://idnworldreport.eu/ch.... Therefore IDNs have the potential to enhance linguistic diversity in on the online environment.

    Homograph attacks described in your article have been understood for at least a decade. However, while uptake of IDNs remains so low (only 2% of the world's domains are IDNs), the threat remains largely theoretical. In contrast, phishing attacks and other security issues relating to traditional domain names are a daily occurrence. Google's 'solution' of displaying Punycode is not a solution at all. It erodes the user experience of IDN and does not eliminate risk. When a user sees Punycode in a browser bar they have no visual clues to tell them that they are where they expected to be, and as a result could easily be side-tracked into a malicious environment.

    We all need to be mindful of security in the online environment and many challenges exist. At the same time, the DNS industry should not let the fear of the unknown stand in the way of possible, positive developments. For example, it is disappointing that while Google was able to release its 'fix' within a matter of days, its progress on implementing support for internationalised email addresses is taking years. The technical community needs to work harder at enhancing universal acceptance of IDNs, so that every person can enjoy the benefits of the online environment - no matter what language they read or speak.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019