That Secure Domain May Not Be So Secure

A Unicode-based attack known as a homograph attack can falsify a domain name—all the way down to secure HTTPS. Since it can so convincingly mimic a legitimate domain, it isn’t just the average user at risk but also seasoned IT pros.

Brandon Vigliarolo writes, “Homograph attacks, which involve substituting Unicode with regular ASCII letters to fake a domain name, have been around since the early 2000s. Modern web browsers are built to detect homograph attacks, but software engineer Xudong Zheng figured out a way to beat the filters.

“The problem is a serious one, but thankfully is only a problem in Google Chrome, Firefox, and Opera. Want to know if you’re vulnerable? Head over to Zheng’s blog and check out his proof of concept link to a fake Apple domain.

“What you would see if you were protected would be the real domain name: https://www.xn— Because it’s named with Unicode substitutions for a, p, l, and e it displays as a completely legitimate domain name—it’s even secured with HTTPS.

“Zheng discovered that when a domain is named with a set of Unicode letters from a single language (typically Russian) it bypasses the filters in Chrome, Firefox, and Opera.”

Read the full article.