Sunday, April 23, 2017

Punycode

Wordfence is a security service for WordPress sites. I heard Leo Laporte talk about a recent post Wordfence had demonstrating a potential phishing technique.

To demonstrate this Wordfence created web site using an technique known as Punycode to encode the URL.

Here is a link to their demonstration site. Look closely at the address bar when you get there.

     https://www.еріс.com/

Here is a link to the real site. Look closely at the address bar when you get there.

     https://www.epic.com

Can you tell the difference?

So you think you're a real geek and you always right click on a link and select "Copy link address" and then paste it into Notepad to see what the link REALLY links to. Knock yourself out. Try it.

Now is a good time to start worrying.

The only way to discern the difference in the URL is to actually browse to the demonstration site. Then highlight the URL and copy it. Now paste it into Notepad.

     https://www.xn--e1awd7f.com

That "xn--" is the Punycode.

I hope you noticed that the demonstration site also showed the padlock in the address bar. You can thank LetsEncrypt for that.

There's a workaround in Wordfence's post for Firefox and reportedly a fix in version 59 of Chrome.

In the meantime, do you think this would fool your mother?



No comments: