Conversation

Notices

/xarvos/ (xarvos@nixnet.social)'s status on Tuesday, 07-Jun-2022 04:22:53 UTC /xarvos/
@rysiek @silmathoron @xpil how about just adding a notice “this URL contains non-ascii characters which might look like ascii characters” needs the users to know what ascii characters are though

In conversation Tuesday, 07-Jun-2022 04:22:53 UTC from nixnet.social permalink
- Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Tuesday, 07-Jun-2022 04:22:52 UTC Rysiekúr Memesson
  in reply to
  - Silmathoron
  - xpil
  @xarvos @silmathoron @xpil that obviously makes all IDN websites immediately look suspicious, even if they are completely innocent.
  
  In conversation Tuesday, 07-Jun-2022 04:22:52 UTC permalink
  
  Santa Claes 🇸🇪🇭🇰🎅 likes this.
- Remco.py (remcoboerma@fosstodon.org)'s status on Tuesday, 07-Jun-2022 04:27:43 UTC Remco.py
  in reply to
  - Rysiekúr Memesson
  - xpil
  @rysiek @xpil
  Assuming that most attacks are based on trusted (by the user) domains,
  Assuming that a centralized option is not preferable (for all good reasons set out elsewhere in this thread),
  Assuming that taking user browsing preferences are important,
  Given that the total of glyph combinations is too large too handle effectively on large scale,
  
  In conversation Tuesday, 07-Jun-2022 04:27:43 UTC permalink
- Remco.py (remcoboerma@fosstodon.org)'s status on Tuesday, 07-Jun-2022 04:27:43 UTC Remco.py
  in reply to
  - Rysiekúr Memesson
  - xpil
  @rysiek @xpil
  What if a browser saves a graphic representation of every domain visible in the address bar (as the user sees it) , and compares it graphically (with the prior recorded domain representation images) when a domain is about to be opened (as in, seen by the user in the address bar) and warns when similarity is above a given (yet to be discovered) threshold AND the domain names in unicode don't match (or differ enough based on textual difference)
  
  In conversation Tuesday, 07-Jun-2022 04:27:43 UTC permalink
  
  Santa Claes 🇸🇪🇭🇰🎅 likes this.
- Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Tuesday, 07-Jun-2022 04:27:44 UTC Rysiekúr Memesson
  in reply to
  @TerryHancock @xarvos @silmathoron @xpil sure, we could have some rules like that, and they would be *somewhat* effective.
  They would not solve the problem in general though.
  Doesn't mean we should not try them, of course.
  
  In conversation Tuesday, 07-Jun-2022 04:27:44 UTC permalink
- Remco.py (remcoboerma@fosstodon.org)'s status on Tuesday, 07-Jun-2022 04:27:44 UTC Remco.py
  in reply to
  - Rysiekúr Memesson
  - xpil
  @rysiek @xpil apparently you have spent much time thinking about this problem, and I'm completely new, but intrigued. Now I can't think of catch all solution but maybe this is something that might help a little.
  
  In conversation Tuesday, 07-Jun-2022 04:27:44 UTC permalink
- Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Tuesday, 07-Jun-2022 04:27:45 UTC Rysiekúr Memesson
  in reply to
  @TerryHancock @xarvos @silmathoron @xpil what about "émigré.tld" then.
  
  In conversation Tuesday, 07-Jun-2022 04:27:45 UTC permalink
- Terry Hancock (terryhancock@mastodon.art)'s status on Tuesday, 07-Jun-2022 04:27:45 UTC Terry Hancock
  in reply to
  @rysiek
  That's all extended latin, though, right? And the accents are visible.
  Not like having 'е' and 'і' instead of 'e' and 'i'.
  Or even 'г' instead of 'r', though you can technically see that one.
  Thing is, Cyrillic and Greek character sets are generally used independently, which is why they have confusable characters in the first place. It's pretty rare to have a legit need to mix Cyrillic or Greek characters in with Latin.
  @xarvos @silmathoron @xpil
  
  In conversation Tuesday, 07-Jun-2022 04:27:45 UTC permalink
- Terry Hancock (terryhancock@mastodon.art)'s status on Tuesday, 07-Jun-2022 04:27:46 UTC Terry Hancock
  in reply to
  @xarvos
  A list of confusable-unicode characters would be kind of handy, in general. Surely there must be one somewhere by now?
  A suspicious case would be a URL that has characters from such a list, mixed in with other characters from the alternate set.
  I.e. if you encounter a Cyrillic 'а' in a URL composed mostly of Latin characters (or any mix of the two, really), that's probably suspicious.
  A legit Cyrillic domain name probably wouldn't do that (I think?).
  @silmathoron @xpil @rysiek
  
  In conversation Tuesday, 07-Jun-2022 04:27:46 UTC permalink
- /xarvos/ (xarvos@nixnet.social)'s status on Tuesday, 07-Jun-2022 04:27:47 UTC /xarvos/
  in reply to
  @rysiek @silmathoron @xpil come to think of it, the reverse attack might be possible too (e.g. having latin letter a amidst cyrillic characters). maybe we’d need to list lookalike characters comprehensively
  
  In conversation Tuesday, 07-Jun-2022 04:27:47 UTC permalink
- Remco.py (remcoboerma@fosstodon.org)'s status on Tuesday, 07-Jun-2022 04:28:03 UTC Remco.py
  in reply to
  - Rysiekúr Memesson
  - xpil
  @rysiek @xpil
  vv would appear like w and score bad, qg could still be a nightmare depending on the attack/use, cirrilic users would less likely be tricked in clicking on latin codes and the other way around, there's no ownership or who came first issues, but attacks on established domain names (based on user trust) could hopefully more easily be spotted.
  
  In conversation Tuesday, 07-Jun-2022 04:28:03 UTC permalink
- Rysiekúr Memesson (rysiek@mastodon.technology)'s status on Tuesday, 07-Jun-2022 04:28:03 UTC Rysiekúr Memesson
  in reply to
  - xpil
  - Remco.py
  @remcoboerma @xpil *and* it's all based on particular user's past browsing history, not some dreamed-up list of global rules, nor on some (inevitably biased) "AI".
  Nice!
  
  In conversation Tuesday, 07-Jun-2022 04:28:03 UTC permalink
  
  Santa Claes 🇸🇪🇭🇰🎅 likes this.

Public

Conversation

Notices

Feeds