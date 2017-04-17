Become a fan of Slashdot on Facebook

 


Google says it will be rolling out a patch to Chrome in v59 to address a decade-old unicode vulnerability called Punycode that allowed attackers to fool people into clicking on compromised links. Engadget adds: Thanks to something called Punycode, phishers are able to register bogus domains that look identical to a real website. Take this proof-of-concept from software engineer Xudong Zheng, where apple.com won't take you to a store selling Macs, iPhones and iPads. The real website is actually https://www.xn--80ak6aa92e [dot] com. The xn-- prefix tells browsers like Chrome that the domain uses ASCII compatible encoding. It allows companies and individuals from countries with non-traditional alphabets to register a domain that contains A-Z characters but renders in their local language. The issue was first reported to Google and Mozilla on January 20th and Google has issued a fix in Chrome 59. It's currently live in the Canary (advance beta release) but the search giant will likely make it available to all Chrome users soon.

  • Ooh, I get to complain about the Slashdot post qua (Score:5, Informative)

    by Kiwikwi ( 2734467 ) on Monday April 17, 2017 @10:46AM (#54248587)

    Horrible summary... Punycode [wikipedia.org] is an encoding, not a vulnerability. The vulnerability is a variant of the well-known homograph attack.

    The original source explains it better: https://www.xudongz.com/blog/2... [xudongz.com]

    • Of course it's horrible. Engadget just recycles news from other more technical sites. There is also a factual error. The issue will be addressed in Chrome 58. It was already addressed in Chrome Canary 59.
  • In Firefox / about:config set: network.IDN_show_punycode;true

  • The original post notes that "In Chrome and Firefox, the Unicode form will be hidden if a domain label contains characters from multiple different languages."

    It seems to me that a better solution would be to simply display the unicode version only if it contains only characters in the language that the browser is running in (such as the LANG setting on POSIX systems)... especially if the purpose of punycode is to allow domains that "render in their local language."

    Admittedly, that fails to protect Cyrillic

  • countries with non-traditional alphabets (Score:5, Insightful)

    by remi2402 ( 816874 ) on Monday April 17, 2017 @11:44AM (#54249031)

    countries with non-traditional alphabets

    Say what now? Non-traditional? How about simply "languages with non-latin scripts"! And even that description isn't completely accurate as there are plenty of languages written using variants of latin scripts that could benefit from punycode (Spanish, French, German, Scandinavian languages, quite a few Slavic languages, Vietnamese, and I'm probably forgetting a lot).

    I usually don't care about this sort of things but this time I'll bite: there are about 6.5+ billion people on this planet that use "non-traditional alphabets". It's about time whoever wrote the FA at Engadget learns a little bit about the rest of the world.

