This short exercise examines the threat posed by homographs. Our specific focus is on IDN homograph attacks, which involve internationalized domain names. The exercise uses CyberChef, which you can run online or download and run locally.

A homograph attack typically involves an attacker registering a domain name that closely mimics another in appearance. In an IDN homograph attack that resemblance can be made particularly close by exploiting the fact that internationalized domain names are allowed to contain characters from non-Latin alphabets. For example, the Greek and Cyrillic alphabets both contain characters that are visually almost indistinguishable from the Latin letter ‘o’ in many fonts. Thus, microsoft.com using a Cyrillic ‘o’ may look the same as microsoft.com using only Latin characters, even though it is a completely different domain.

Punycode is a way of encoding an IDN using a more limited set of ASCII characters. Domain name homographs that are almost indistinguishable visually will be very obviously different when viewed as Punycode.

Converting to Punycode

For this task, you will compare and contrast the domain names adobe.com and adoḅe.com by examining their Punycode representations.

1. Run CyberChef. Open the ‘Data format’ submenu on the Operations menu and drag ‘To Punycode’ onto the Recipe panel. Make sure that the ‘Internationalized domain name’ option is checked.

2. Copy the following domain name and paste it into the Input panel:

   adobe.com
   

   Note what is displayed in the Output panel.

3. Use the trashcan button to clear the Input panel. Then copy the following domain name and paste it into the panel:

   adoḅe.com
   

   How does the output differ? Which character in the domain name causes the difference?

Converting From Punycode

1. Use the trashcan buttons to clear the contents of the Input, Output and Recipe panels in Cyberchef. Drag the ‘From Punycode’ operation from the ‘Data format’ submenu onto the Recipe panel. Make sure that the ‘Internationalized domain name’ box is checked.

2. Use CyberChef to convert the following Punycode representations into homographs:

   xn--watrose-sfb.co.uk
   xn--80ak6aa92e.com
   

   What do you see? How convincing are these as homographs? Would font choice be significant here?

Browser Defences

The second of the two previous Punycode examples is particularly interesting, because it is a ‘whole-script’ homograph: one in which all the characters in the main part of the domain name come from a single non-Latin alphabet.

Xudong Zheng discovered in 2017 that the homograph protection code in the Chrome, Firefox and Opera browsers failed to identify whole-script homographs like this one as potentially dangerous.

1. Run the Chrome browser and visit https://www.xn--80ak6aa92e.com/. In any recent version of Chrome, you should see this warning:

   

   Google introduced warnings for whole-script homographs back in 2017, soon after discovery of the issue.

2. Run the Firefox browser and visit the same site. As of version 79 (July 2020), you will not see any warnings from the browser! Instead, you will be taken directly to the web site created by Xudong Zheng as a proof of concept. Notice that the address bar gives the impression that you are visiting apple.com.

   The Firefox developers made a deliberate decision to not do anything about whole-script homographs, considering this to be the responsibility of domain registrars.

3. Open a new tab in Firefox and enter about:config in the address bar. Confirm that you wish to proceed, then enter network.IDN_show_punycode in the search box. When the setting is displayed, toggle its value from false to true. Then return to the previous tab showing the fake apple.com site and refresh the page. The address bar should now show the homograph in Punycode form.

□