Click this link (don’t fret, nothing malicious). Chances are your browser displays “apple.com” in the address bar.
What about this one? Goes to “epic.com,” right?
Wrong. They are in fact carefully crafted but entirely legitimate domains in non-English languages that are designed to look exactly the same as common English words. The real domains for the two above links are: xn--80ak6aa92e.com and xn--e1awd7f.com.
Of course, your web browser may, in fact, display these meaningless names – and you will be missing a glorious opportunity to be totally misled!
The “xn--” in these domain names signal that the domain name is actually using Unicode instead of the original internet ASCI characters. Unicode has the ability to represent any character (or printable glyph) in any language in the world (also emoji, etc). The Unicode option was introduced in 2003, in response to non-English (or more strictly, non-USA) countries wanting to internationalise the Internet. It wasn’t long before certain people realised that the Cyrillic letters “a”, “B”, “b”, “c”, “e”, “H”, “i”, “K”, “l”, “M”, “o”, “p”, “T” and “ш” looked very like English letters, and the “homograph attack” was born. (homograph = same shape). (You may also be able to pick out letters for ‘apple’ and ‘epic’ from that list.)
Needless to say the organization in charge of overseeing the domain name system, US-based ICANN, took this seriously and put out a warning back in 2005 on what it termed “homograph attacks.” The world’s DNS overseer stated:
“ICANN is concerned about the potential exacerbation of homograph domain name spoofing as IDNs [internationalized domain names] become more widespread, and is equally concerned about the implementation of countermeasures that may unnecessarily restrict the use and availability of IDNs.”
And so it turned to its community of internet engineers and policy makers and opened a formal comment forum to come up with “countermeasures” and “improve public protection from abusive use of domain names.”
So what happened? The comment forum that ICANN opened received just three comments and was archived in 2006. Statements put out by internet organizations have long since been lost thanks to broken hyperlinks!
The internet community appears to have just wished the problem away. Unfortunately, it was still there. So five years later, in 2010-2011, it reappeared. This time spammers had started using the technique to get people to click on their links by providing what looked like legitimate domain names. The one that caught everyone’s attention was a Cyrillic version of “paypal.com” that was actually “raural.com,” but looked the same.
The problem had grown because of ICANN’s own expansion of the IDN space. The organization was under significant pressure from governments around the world who were very unhappy with the speed of progress at the US-based and American-dominated organization in adding their languages to the internet’s infrastructure.
For its own self-preservation, ICANN approved a “fast track” of new IDNs, but the issue of homograph attacks appears to have been left untouched. ICANN is in a position to develop new policies that would then likely be adopted by other organizations that make up the internet eco-system – but it appears to have chosen not to bother.
In terms of actual policy changes, the last activity we saw was a group working on “universal acceptance” at a domain name conference back in 2015 that would enable all internationalised domains to work across the internet.
That group was being given informal support from ICANN, as well as Google, but has made limited progress thanks to a lack of resources. Part of that group’s work was to figure out how to minimize the impact of phishing through IDNs.
ICANN’s web page on the topic hasn’t been updated since September 2015. When asked, an ICANN spokesperson said:
“ICANN is as concerned as ever about malicious use of the DNS via phishing. We have not changed our rules for what contracted TLDs are allowed to delegate in their zones. The recently described attacks are no different than the ones ICANN has been looking at since the addition of IDNs in 2003.”
Another possible avenue for a solution lies with the Browser manufacturers who have been a little lazy:
- Most have introduced a system for people to report phishing websites, which it then uses to provide a warning if users visit that site.
- Firefox places some restrictions on mixing different language scripts in an effort to limit the abuse – but nothing on the above links in the version I tested.
- Apple and Safari have simply provided online guides for how to turn IDNs off (if you can find then). OSX 10.11 and MacOS 10.12 appear to have IDNs turned off, so you see the ‘funny’ xn--… domain names; this means that you cannot recognise domains using non-English letters – such as Maori!
Perhaps web browsers need to just show both Ansi and Unicode forms when Unicode is used! Or even show them in a different colour? Any takers, Safari, Firefox, Chrome, Echo, etc.?