That apple.com link you clicked on? Yeah, it's actually Russian
Didn't we fix this back in 2005? Apparently not
Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.
In quick testing by El Reg, Chrome 57 on Windows 10 and macOS 10.12, and Firefox 52 on macOS, display apple.com and epic.com rather than the actual domains. We're told Chrome 57 and Firefox 52 are vulnerable while Safari and Internet Explorer are in the clear. Bleeding-edge Chrome 60 on macOS 10.12 was not vulnerable.
This domain disguising, which tricks people into visiting a site they think is legit but really isn't, is called a "homograph attack" – and we were supposed to have fixed it more than a decade ago when the exact same problem was noticed with respect to the address "paypal.com."
So what is this, how does it work, and why does it still exist?
Well, thanks to the origins of the internet in the United States, the global network's addressing systems were only designed to handle English – or, more accurately, the classic Western keyboard and computer ASCII text.
The limitations of this approach became apparent very soon after people in other countries started using the domain name system and there was no way to represent their language.
And so a lengthy and often embarrassingly tone-deaf effort was undertaken by largely American engineers to resolve this by assigning ASCII-based codes to specific symbols. Unicode became "Punycode."
There may be trouble ahead...
The trouble – which was first noted way back in 2001 – is that some letters in other languages like Cyrillic are different but look almost identical. You can get identical-looking versions of "a", "B", "c", "i", "l", "O" and "p," among others.
So by combining the codes for these other letters with non-coded letters you can appear to spell out a word like "apple," therefore tricking people into visiting a different website from the one they think they are visiting.
Needless to say, the organization in charge of overseeing the domain name system, US-based ICANN, took this seriously and put out a warning back in 2005 on what it termed "homograph attacks." The world's DNS overseer stated:
ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs [internationalized domain names] become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.
And so it turned to its community of internet engineers and policy makers and opened a formal comment forum to come up with "countermeasures" and "improve public protection from abusive use of domain names."
That was 12 years ago. What's happened since?
Not much, it seems. The comment forum that ICANN opened received just three comments and was archived in 2006. Statements put out by internet organizations including CENTR and APTLD have long since been lost thanks to broken hyperlinks.
I can't hear you
The internet community appears to have just wished the problem away. Unfortunately, it was still there. So five years later, in 2010, and then again in 2011, it reappeared.
This time spammers had started using the technique to get people to click on their links by providing what looked like legitimate domain names. The one that caught everyone's attention was a Cyrillic version of "paypal.com" that was really "raural.com," but looked the same.
The problem had grown because of ICANN's own expansion of the IDN space. The organization was under significant pressure from governments around the world who were very unhappy with the speed of progress at the US-based and American-dominated organization in adding their languages to the internet's infrastructure.
For its own self-preservation, ICANN approved a "fast track" of new IDNs, but the issue of homograph attacks appears to have been left untouched. ICANN is in a position to develop new policies that would then likely be adopted by other organizations that make up the internet eco-system – but it appears to have chosen not to bother.
Browser manufacturers have been similarly lazy:
- Most have introduced a system for people to report phishing websites, which it then uses to provide a warning if users visit that site.
- Firefox places some restrictions on mixing different language scripts in an effort to limit the abuse.
- Apple and Safari have simply provided online guides for how to turn IDNs off.
However, even though some browsers responded back in 2010 by turning off IDNs as a default, it appears that at some point a browser update has set the default back to on.
In terms of actual policy changes, the last activity we saw was a group working on "universal acceptance" at a domain name conference back in 2015 that would enable all internationalized domains to work across the internet.
That group was being given informal support from ICANN, as well as Google, but has made limited progress thanks to a lack of resources. Part of that group's work was to figure out how to minimize the impact of phishing through IDNs.
As to what you can do to mitigate being tricked by their coding issue: the best solution, unfortunately, is to simply turn off support for IDNs in your browser.
ICANN's webpage on the topic hasn't been updated since September 2015. We prodded ICANN for any information on current efforts to tackle homograph attacks. A spokesperson told The Reg:
ICANN is as concerned as ever about malicious use of the DNS via phishing. We have not changed our rules for what contracted TLDs are allowed to delegate in their zones. The recently described attacks are no different than the ones ICANN has been looking at since the addition of IDNs in 2003.
In the meantime, ICANN is coming toward the end of another lengthy policy process that would allow or block the use of country codes – like "us" for the United States or "de" for Germany – in the hundreds of new top-level domains that ICANN has approved in the past few years. These have contributed hundreds of millions of dollars to the small Los Angeles-based organization.
It should be noted however that the policy only covers ASCII text – ie, the English keyboard. Fifteen years on from the first warning of homograph attacks using non-English characters, it seems that some priorities never change. ®
PS: To fix the issue with Chrome, wait for Chrome 58 to arrive around April 25 and install it. On Firefox, go to about:config and set network.IDN_show_punycode to true.
Sponsored: Becoming a Pragmatic Security Leader