Just when I thought I had heard it all comes a new form of attack – called homographs.
Homograph attacks in browsers can happen because browsers have to support internationalization – languages other than English. In this demo page below, it looks like the web site is an HTTPS Apple.com web page.
Note: you can click on the images to enlarge
In fact, it even says the page is secure. The URL in the address bar looks identical to Apple’s web page, below.
However, if you copy the address and then paste it back into the browser, you get something that looks very different than Apple.com, below.
For anyone who wants to look at this in more detail, the demo page can be found at https://www.xn--80ak6aa92e.com/ (Note that this is not a live link, on purpose. Copy and paste if you want to try it).
What the hacker did was replace each letter in the Apple.com domain name with the equivalent letter in a foreign language (called unicode) that the browsers all support.
This attack has been around, apparently, since 2001 and the browser makers have not seen fit to do anything to mitigate it.
The reason that the SSL/TLS certificate works is that the domain www.xn--80…. was available and could be purchased by the attacker.
One thing that is important to notice is that real Apple web page is protected by a cheap HTTPS certificate called domain validation or DV. All the certificate does is encrypt the traffic, but it does nothing to ensure that the REAL Apple owns the domain. In writing this post, I found this was pretty common. In fact, I had to work hard to find an example of the more secure extended validation or EV certificate. Note in the example below, Symantec’s web site shows Symantec as the owner to the left of the address, replacing the word secure.
In fact, even a few bank web sites that I looked at (like Chase and Bank of America) were using DV certificates instead of the more secure EV certificates. I speculate now that this attack is getting some media attention, they, hopefully will fix that.
In this particular case, if the hackers wanted an EV certificate, they could get one for the domain www.xn--80ak6aa92e.com, but not for www.Apple.com . Apple could increase the trust in their web site by spending the few extra bucks a year for the EV certificate.
Since we always tell people to look at the address bar, what do we tell them when the address bar looks fine?
The only thing that is a giveaway is the link on the page. If you hover over it and look for the address at the bottom of the browser, you will see that it is not an Apple address.
I am sure that if we were to tell people to copy and paste the address back into the address bar as a test, which would reveal the attack – but only before you pressed enter – people are not likely to do that.
It will be interesting to see what the browser makers do about this. At least now you are aware of this and if you are suspicious, you can always copy the address and paste it into anything – email, notepad, word, whatever, to see if the domain name changes when you do that.