Spoofing Websites is an age old trick. Homograph attacks.

wkleem

Potentially, the ability to spoof websites has been an issue for 20 years but ICANN had never gotten around to dealing with the issue.

https://theguardian.com/technology/2017/apr/19/phishing-url-trick-hackers44

"The proof-of-concept domain was put together by Xudong Zheng, a security researcher who wanted to demonstrate the problem with the way domain names can be registered and displayed. For a long time, domain names could only be written in Latin characters without diacritics, but since 1998 it’s actually been possible to write them in other alphabets too. That’s useful if you want to register a domain name in Chinese or Arabic script, or even just correctly spelled French or German – anything that can be represented with the Unicode standard can be registered, even emoji – but it’s also opened up a whole new avenue of misdirection for malicious actors to take advantage of, by finding characters in other alphabets which look similar to Latin ones."

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

jpgoldberg

Yep. I recall discussing homoglyphs¹ back when internationalization of domain names was first proposed. Sadly ICANN went ahead with this despite the obvious dangers. Of course there are compelling reasons to want to have domain name segments not limited to the 37 characters originally defined, [-a-z0-9]. But it is already bad enough with "vv" versus "w" and "1" versus "l".

If we look at the Latin "a" and the Cyrillic "a", they are going to be visually indistinguishable in any typeface that handles both. So "PayPal" is going to appear identical to "PаyPal". If your browser has to do a font substitution to get the Cyrillic, then you might see a different.

1Password's antiphishing mechanism works for you

Note that 1Password helps you enormously here. The mechanisms that help prevent you from filling in a password to an phishing site work in these cases as well. You may not be able to see that www.paypal.com is not the same as www.pаypal.com, but 1Password does see the difference. It will not fill in a login meant for one into the other.

Homoglyphs in passwords.

I would like to quote from the 1Password Security White Paper on another problem of homoglyphs. I'm not sure how it will render here, so I will just post an image from the page:

Slack does it right

For those familiar with Slack, I was please to learn that it does it right, making it hard for one person to try to direct another to a misleading website. Last September I was talking about the dangers of homoglyphs and phishing in a discussion on Slack. I found it hard to illustrate because Slack (correctly) refused to perform the IDN rendering. So it was nice to see that Slack did things safely, but it sort of spoiled me demo.

---

1. Just as homophones are distinct words which sound identical, homoglyphs are distinct letters/characters that are visually identical in writing, but are actually different letters/characters. ↩︎

wkleem

Thanks jpgoldberg! Meanwhile, I have set punycode to true in Firefox 52. The next version of Chrome 58 will supposedly solve the issue. Safari was unaffected. Opera (current version) was affected but the punycode can't be modified.

In Firefox about:config, network.IDN_show_punycode = True

AGAlumB

@wkleem: Yeah, better safe than sorry, since there are contexts outside of 1Password where it's important to know what you're dealing with.

Chrome 58 is available now in the stable channel, so anyone who hasn't already updated should do so. However, Opera's latest, 44.0.2510.1218, looks like it's based on Chrome 57.0.2987.133, so this issue is still present there.

Anyway, thanks for sharing that here! I'm sure that others will benefit. :)