Pages

How do browsers detect counterfeit websites and domain names? A complex solution to a simple problem

Back in spring 2017, researcher Xudong Zheng hosted a website going by the domain name “apple.com”. At first glance, you might think this is the official website of the giant tech company “Apple”, right? But it’s not! It’s a counterfeit website that Xudong Zheng used to bring attention to the issue about fake websites.

See, the trick in the website “apple.com” lies with the letter “a”. This “a” is normally a Latin character however, the domain registered by Xudong Zheng replaced this with a Cyrillic character. He did this using the Unicode of the Cyrillic “a” instead of the Latin “a”. As you can see, both characters are practically identical.


Had it been some malicious person or an organization, they could easily use this website to scam unaware people and steal their information such as credit card numbers, passwords etc.

But thanks to the research, modern browsers were updated to counter the issue of fake domains with a replaced character.

So how did they accomplish this? Well, a number of options were explored by security researchers such as:

What if we don’t mix different character sets? Well, this one’s a bit complicated. Many languages such as Chinese, Korean and Japanese use mixed character sets to code their language characters. Therefore, they need to mix character sets often. This is why banning the use of mixed character sets isn’t the best solution though it would fix the problem to a degree.

Complete removal of Cyrillic characters from URLs: Banning certain characters would only trade convenience for security. While it would solve problems for a specific language which doesn’t use those extra characters, the people that do use them would suffer. For example, if you ban all Japanese characters, because they’re not used in English, how would the Japanese people have access to those websites?

Banning URLs outside of user preferred languages: This would certainly work however annoying it may be. Yes, the user would have to add the website they’re trying to access to their preferred languages before opening it. But this begets the issue of bad user experience.

Show a warning if a website seems suspicious: Checking the integrity of a website has many stages which we won’t go over in this article. But if the website seems suspicious, the user would get a warning that the website they’re trying to access might be fake. It’s a step in the right direction but not completely secure.

These solutions were a bit different from what modern browsers actually ended up doing though.

Ultimately, browsers such as Google and Firefox first started to detect these counterfeit websites. Once they noticed a suspicious website, they would display the URL in the form on Punycode. For example, googlé.com would appear as xn--googl-fsa.com. Along with that, they also displayed a warning to whomever would visit this domain. In the warning, they’ll also link the genuine website to avoid confusion.



Read next: Back in spring 2017, researcher Xudong Zheng hosted a website going by the domain name “apple.com”. 

No comments: