Phishing with Unicode Domains - Xudong Zheng

April 16th, 2017

Domains registered with punycode names (and then given TLS certificates) are worryingly indistinguishable from their ASCII counterparts.

Can you spot the difference between the URLs https://adactio.com and https://аdаctіо.com?

3:46pm

Tagged with security phishing domains unicode punycode browsers urls text encoding

« Newer Older »

Related links

Extended Validation is Broken

How a certificate with extended validation makes it easier to phish. But I think the title could be amended—here’s what’s really broken:

On Safari, the URL is completely hidden! This means the attacker does not even need to register a convincing phishing domain. They can register anything, and Safari will happily cover it with a nice green bar.

Thursday, December 21st, 2017 1:57pm

Tagged with security extended validation certificates phishing ev tls ssl urls browsers

IncrementURL

Jake’s got an idea for improving the security of displaying URLs in browsers.

Phishing with Unicode Domains - Xudong Zheng

April 16th, 2017

Related links

Extended Validation is Broken

Related posts

IncrementURL