https://www.xudongz.com/blog/2017/idn-phishing/
I strongly suggest updating Chrome to 58, setting the network.IDN_show_punycode setting in Firefox to true, and setting your system to only support one language if you insist on using Internet Explorer or Edge.
Example:
www.apple.com (http://www.apple.com)
www.аpple.com (http://www.xn--pple-43d.com)
Can you spot the difference? The second url doesn't have a Latin A, it has a Cyrillic A, which means it's a different url. Hover over them to see.
Good one!
Edit: this looks like it's already working in the latest Firefox (52.0.2)
looks like my chrome is already fixed, weird. I dont think I updated all that recently? Maybe I did, and i just don't remember.
Ok, maybe not...
About damn time these kind of URL charset easy cheats got made more difficult. But Jo Average might not even hear about it :)
And imagine if one of those fakers registered a business corp name and thus could legally justify SSL certificate - it would be near impossible to notice you're not on the intended site when they copypasta most of the original content...
Damn you #Phishing3.0 bastards.
https://en.m.wikipedia.org/wiki/IDN_homograph_attack = helpful article including Defending... section.
Even without valid CERTs if somebody trusts the source they may bypass invalid SSL manually anyway...
Aрр׀e
Micrоsоft
Ɲetwοrk Sοlutiοns
Quote from: Mr. Analog on April 21, 2017, 03:13:38 PM
Even without valid CERTs if somebody trusts the source they may bypass invalid SSL manually anyway...
Aрр׀e
Micrоsоft
Ɲetwοrk Sοlutiοns
The Apple and Network Solutions ones I can see, but what is the special character in the Microsoft one?
Both the M and the Os
( ͡? ͜ʖ ͡?)