科技回声

8 条评论

wimagguc大约 8 年前

HN Discussion about the same topic from 2 days ago (126 comments to date): <a href="https://news.ycombinator.com/item?id=14119713" rel="nofollow">https://news.ycombinator.com/item?id=14119713</a>

评论 #14133454 未加载

dmckeon大约 8 年前

Can a browser could track how many language/character sets are typically used by a browser profile, and warn the user when they are about to use a new, previously unused set, rather than waving the duty off as the "responsibility of domain owners"?With now over 1000 top-level domains, and however many homographic matches among character sets, expecting people to register dozens of matching domains seems unrealistic.

评论 #14132654 未加载

shif大约 8 年前

I wonder how the domain displays on email clients like gmail and outlook, this is the scariest part, most people will just look at the domain and think it's a valid mail and follow the instructions of that mail, it could be catastrophic for companies, the ubiquity $40 million fiasco comes to mind.

评论 #14132066 未加载

nemo1618大约 8 年前

What an odd coincidence: I just published a Go package yesterday to detect such attacks in source code. Is there a homography bug going around?<a href="https://github.com/NebulousLabs/glyphcheck" rel="nofollow">https://github.com/NebulousLabs/glyphcheck</a>(btw, Wikipedia notes that "The term homograph is sometimes used synonymously with homoglyph, but in the usual linguistic sense, homographs are words that are spelled the same but have different meanings, a property of words, not characters.")

评论 #14134352 未加载

html5web大约 8 年前

This is the scariest one: <a href="http://www.арр.com/" rel="nofollow">http://www.xn--80a6aa.com/</a> & <a href="http://www.app.com/" rel="nofollow">http://www.app.com/</a>

评论 #14134809 未加载

E6300大约 8 年前

<a href="http://blog.unicode.org/2014/09/updated-unicode-security-specifications.html" rel="nofollow">http://blog.unicode.org/2014/09/updated-unicode-security-spe...</a>

khedoros1大约 8 年前

Interesting. The apple.com one (<a href="https://www.xn--80ak6aa92e.com/" rel="nofollow">https://www.xn--80ak6aa92e.com/</a>) shows literally that text in Pale Moon (27.2), but shows "аррӏе.com" (Cyrillic text) in Chrome 57 and Firefox 51.Someone else's example that looks like "app.com" ( <a href="http://www.xn--80a6aa.com/" rel="nofollow">http://www.xn--80a6aa.com/</a>) translates to the Cyrillic text, even in Pale Moon. I wonder if Apple's site is on a hard-coded blacklist in the browser, or if every update includes the top-1000 list, or something?I remember reading about issues with Unicode domains years ago, though. It surprises me that something hasn't been figured out by this point. One mitigation that I remember being discussed was coloring characters from different scripts in different colors, to make variant characters more obvious.

评论 #14135450 未加载

bchociej大约 8 年前

Thankfully I got this: <a href="https://imgur.com/a/3XyIe" rel="nofollow">https://imgur.com/a/3XyIe</a>

8 条评论

wimagguc大约 8 年前

HN Discussion about the same topic from 2 days ago (126 comments to date): <a href="https://news.ycombinator.com/item?id=14119713" rel="nofollow">https://news.ycombinator.com/item?id=14119713</a>

评论 #14133454 未加载

dmckeon大约 8 年前

评论 #14132654 未加载

shif大约 8 年前

评论 #14132066 未加载

nemo1618大约 8 年前

评论 #14134352 未加载

html5web大约 8 年前

This is the scariest one: <a href="http://www.арр.com/" rel="nofollow">http://www.xn--80a6aa.com/</a> & <a href="http://www.app.com/" rel="nofollow">http://www.app.com/</a>

评论 #14134809 未加载

E6300大约 8 年前

<a href="http://blog.unicode.org/2014/09/updated-unicode-security-specifications.html" rel="nofollow">http://blog.unicode.org/2014/09/updated-unicode-security-spe...</a>

khedoros1大约 8 年前

评论 #14135450 未加载

bchociej大约 8 年前

Thankfully I got this: <a href="https://imgur.com/a/3XyIe" rel="nofollow">https://imgur.com/a/3XyIe</a>

Phishing with Unicode Domains

8 条评论

Phishing with Unicode Domains

8 条评论