Re: [Lista Criptica] Punycode

This message is part of the following thread:
Mthe complete thread tree sorted by date
M\Charlie at <-
MMguifipedro at ->
Delete this message

Reply to this message
Author: Jaume
Date:  
To: list_criptica
Subject: Re: [Lista Criptica] Punycode
Jo he trobat una solució a aquest problema en Firefox buscant per ahí.
Entrant en about:config i posant el parámetre
"network.IDN_show_punycode"
a true.
El dv 21 de 04 de 2017 a les 13:49 +0200, en/na Charlie va escriure:
> Echadle un ojo:
>
> https://arstechnica.com/security/2017/04/chrome-firefo
> x-and-opera-users-beware-this-isnt-the-apple-com-you-want/?comments=1
>
>
> Punycode makes it possible to register domains with foreign
> characters.
> It works by converting individual domain label to an
> alternative format
> using only ASCII characters. For example, the
> domain "xn--s7y.co" is
> equivalent to "短.co".
>
> From a security
> perspective, Unicode domains can be problematic because
> many Unicode
> characters are difficult to distinguish from common ASCII
> characters.
> It is possible to register domains such as
> "xn--pple-43d.com", which
> is equivalent to "аpple.com". It may not be
> obvious at first glance,
> but "аpple.com" uses the Cyrillic "а" (U+0430)
> rather than the ASCII
> "a" (U+0061). This is known as a homograph attack.
>
> The homograph
> protection mechanism in Chrome, Firefox, and Opera
> unfortunately fails
> if every characters is replaced with a similar
> character from a single
> foreign language. The domain "аррӏе.com",
> registered as "xn
> --80ak6aa92e.com", bypasses the filter by only using
> Cyrillic
> characters. You can check this out yourself in the
> proof-of-concept
> using Chrome, Firefox, or Opera.
>
> Visually, the two domains are
> indistinguishable due to the font used by
> Chrome and Firefox. As a
> result, it becomes impossible to identify the
> site as fraudulent
> without carefully inspecting the site's URL or SSL
> certificate. This
> Go program nicely demonstrates the difference between
> the two sets of
> characters. Safari, along with several less mainstream
> browsers are
> fortunately not vulnerable.
> __________________________________________
> _____
> list_criptica mailing list
> list_criptica@???
> Lista de
> correo de debate de Criptica
-- 
  Jaumet ¯\_(ツ)_/¯/-------------------> OpenPGP fingerprint: EEB9 94C0 A6F7 C917 9504  602B 0C71 AF4E 6D6F 031D\------------------->
This message was posted to the following mailing lists:
list_criptica
Mailing List Info | Nearby Messages		<-Re: [Lista Criptica] PRIVAT SmartphoneRe: [Lista Criptica] Punycode->
lists.autistici.org administrated by postmasterLurker (version 2.3)