Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday March 11 2018, @10:39AM   Printer-friendly
from the söylêntnéws.org dept.

Brian Krebs writes on how browsers choose to display IDN. The issue here is of course spoofing valid URLs with visually similar letters. You probably would notice the lame attempt in the department line but some of the international characters are very similar or indeed identical. Depending on your personal preferences it might be a good idea to use punycode instead. Could save you a headache later.

https://krebsonsecurity.com/2018/03/look-alike-domains-and-visual-confusion/

Here are some of the applicable RFCs:

  • RFC 3490 - Internationalizing Domain Names in Applications (IDNA)
  • RFC 3491 - Nameprep: A Stringprep Profile for Internationalized Domain Names (IDN)
  • RFC 3492 - Punycode: A Bootstring encoding of Unicode for Internationalized Domain Names in Applications (IDNA)
  • RFC 3986 - Uniform Resource Identifier (URI): Generic Syntax
  • RFC 4690 - Review and Recommendations for Internationalized Domain Names (IDNs)
  • RFC 5890 - Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework
  • RFC 5891 - Internationalized Domain Names in Applications (IDNA): Protocol
  • RFC 5892 - The Unicode Code Points and Internationalized Domain Names for Applications (IDNA)
  • RFC 5893 - Right-to-Left Scripts for Internationalized Domain Names for Applications (IDNA)
  • RFC 5894 - Internationalized Domain Names for Applications (IDNA): Background, Explanation, and Rationale

Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by darkfeline on Sunday March 11 2018, @10:50PM (4 children)

    by darkfeline (1030) on Sunday March 11 2018, @10:50PM (#651102) Homepage

    Why is this an issue? The only things I can think of are

    1. Phishing. You do use a browser integrated password manager which checks the domain name, right? A password manager isn't going to be tricked by visually similar characters.
    2. You unconditionally trust the fake/real news on the site with the domain foxnews/cnn/whatever and you end up unconditionally trusting the real/fake news on the imposter site. Eh, tough luck.

    And all of those require 3. You followed a link instead of navigating to the URL yourself.

    It's not like this is significantly different from typo squatting, e.g. solyentnews.org. Best practices that worked then still work now.

    --
    Join the SDF Public Access UNIX System today!
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by DavePolaschek on Monday March 12 2018, @02:12PM

    by DavePolaschek (6129) on Monday March 12 2018, @02:12PM (#651336) Homepage Journal

    It's an issue because companies like BIGCO use BIGCOSYSTEMS.com and BIGCONEWPRODUCT.com for outgoing marketing and websites (because Brands!), and thus have trained users to use their BIGCOID username and password on all sorts of sites that aren't BIGCO.com.

    Yeah, best practices work, but marketing departments seldom follow best practices.

  • (Score: 2) by requerdanos on Monday March 12 2018, @03:25PM (2 children)

    by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @03:25PM (#651364) Journal

    Why is this an issue?

    We'd like to make it hard, not easy, to fool people and take their money and/or trust for nefarious purposes.

    1. Phishing. You do use a browser integrated password manager which checks the domain name, right? A password manager isn't going to be tricked by visually similar characters.

    Yes and no. For some pages, the password manager recognizes the initial login that you normally navigate to from your bookmarks or typing in a site manually, but the different login pages that you might encounter from being auto-logged out ("your session has timed out"), etc. are different pages and thus might not be recognized. This conditions people to type their credentials into unfamiliar-but-probably-genuine forms, and makes them ripe for phishing *because* of the behavior of a password manager.

    2. You unconditionally trust the fake/real news on the site with the domain foxnews/cnn/whatever and you end up unconditionally trusting the real/fake news on the imposter site. Eh, tough luck.

    People do things like turn over money and reveal personal information on the strength of trust. If the trust is misplaced, bad things happen. We want to avoid that where possible.

    And all of those require 3. You followed a link instead of navigating to the URL yourself.

    That's how everyone from Tim Berners-Lee on down navigates the web, yourself included.

    You do not examine every link you come to and then hand-type it into an address bar, and even if you did, that would introduce more errors than it would correct.

    It's not like this is significantly different from typo squatting,

    Saying that doesn't make either one of them not a bad thing. However, typosquatting is much more obvious and therefore less nefarious.

    http://trustme.example/ [trustme.example] and http://trustame.example/ [trustame.example] can be differentiated if you're paying attention.

    That's less true of http://trustworthy.example/ [trustworthy.example] and http://trustwоrthy.example/ [trustwоrthy.example] (which are different sites with identical-appearing names).*

    ----
    * At the time of writing, soylentnews.org is calling one of these "[trustworthy.example]" and the other "[trustwоrthy.example]"--which does differentiate them, but in an interestingly nonstandard way.

    • (Score: 2) by darkfeline on Monday March 12 2018, @04:38PM (1 child)

      by darkfeline (1030) on Monday March 12 2018, @04:38PM (#651410) Homepage

      >We'd like to make it hard, not easy, to fool people and take their money and/or trust for nefarious purposes.

      Sure, but a fool and his money are still easily parted.

      >This conditions people to type their credentials into unfamiliar-but-probably-genuine forms, and makes them ripe for phishing *because* of the behavior of a password manager.

      PEBCAK, and requires the premise that the user is visiting poorly designed sites that suffer this issue, so it assumes the user is already putting themselves at risk before the event. Even my bank's crappy website combined with Chromium's built in password manager doesn't suffer from this issue.

      >People do things like turn over money and reveal personal information on the strength of trust. If the trust is misplaced, bad things happen. We want to avoid that where possible.

      The problem isn't trust, the problem is people trusting untrusted things. Sure, we can try to protect the fool, but fools are clever in their ability to avoid protections. If you unconditionally trust anything on the Internet, well, you're already in a bad spot.

      >That's how everyone from Tim Berners-Lee on down navigates the web, yourself included.

      Not really, no. I don't log in to pages that I have followed from a link, this is best practices 101. I don't unconditionally trust the claims on a page that I have followed from a link (or from a typed URL either).

      >That's less true of ...

      When I mouse over the link, I get http://xn--trustwrthy-jvi.example/, [trustwоrthy.example] so no, not really. Even so, I would not enter my credentials on either page.

      --
      Join the SDF Public Access UNIX System today!
      • (Score: 4, Interesting) by requerdanos on Monday March 12 2018, @05:16PM

        by requerdanos (5997) Subscriber Badge on Monday March 12 2018, @05:16PM (#651430) Journal

        a fool and his money are still easily parted.

        While true, that's not justification for the technically literate failing to take reasonable precautions on behalf of the not.

        Even my bank's crappy website combined with Chromium's built in password manager doesn't suffer from this issue.

        My bank's website + firefox or pale moon does suffer from this issue. "The user is visiting poorly designed sites" is a guarantee, not merely a required premise.

        we can try to protect the fool, but fools are clever

        We should try to protect the fools. Those who insist on being fools who are fooled will be, but that won't be because we didn't try.

        I don't log in to pages that I have followed from a link, this is best practices 101.

        Educating people not to do this is part of protecting fools from foolishness, but it hasn't got very far. That's no justification for not taking other prudent measures.

        I don't unconditionally trust the claims on a page that I have followed from a link (or from a typed URL either)...When I mouse over the link, I get /xn--trustwrthy-jvi.example/

        According to Nielsen Norman Group research [nngroup.com], "complex" tasks like "navigation across pages and applications" or tasks that "involve multiple steps and operators" (basically, tasks that require thinking and not just blindly following steps by rote) are not within the abilities of over 2/3 of the adult population of first-world countries.

        Look, as you know, you're not wrong. But the arguably simple things you cite above are still demonstrated to be "too complicated" for most, and the challenge for the 5% of the population that is technically proficient (as measured by the referenced study) is to design a system navigable by the other 95% without undue risks.

        The 2016 article referred to above (which I urge anyone interested in this discussion to read), titled "The Distribution of Users’ Computer Skills: Worse Than You Think" and written by Jakob Nielsen, is summarized as "Across 33 rich countries, only 5% of the population has high computer-related abilities, and only a third of people can complete medium-complexity tasks." Over 200,000 people between the ages of 16 and 65 inclusive were tested on computer-related tasks. This is the best research available to us, and its results are that people are less capable than we usually assume. That's a hard lesson to internalize and plan from, but for those of us like you and me, who are in the top 5% and able to do arbitrary tasks on a computer that require thought and decision making, I would submit that it's our responsibility to do it because literally no one else is capable of doing so.

        If, in spite of our best efforts, fools and their money/personal info/good reputation are still parted, then so be it.

        But if we don't make that effort, then we share in responsibility for that parting. No need for that! The fools* can do it on their own.

        -----
        * My own foolish behavior has put me into this category more than once. I am saying "us", not "they."