Security consideration: math symbols in an exotic IP address format in a phishing mail
Markus Scherer
markus.icu at gmail.com
Tue May 19 14:33:58 CDT 2020
On Tue, May 19, 2020 at 12:24 PM Phake Nick via Unicode <unicode at unicode.org>
wrote:
> Somewhat relevant, I have previously observed that, if you type/produce a
> link of http://www.abc.def/ghi?jk=lm , and then replace symbol characters
> in the link with some other confusable symbols, like full width punctuation
> and such, that link will still take you to the intended address. Different
> browsers accept different characters. Sometimes when such a link format is
> being posted onto internet communities that restrict link sharing, such
> alternative unicode characters formed links can bypass link restrictions in
> those communities and potentially take unsuspecting netizens to harmful
> websites.
> I don't understand why browsers would normalize links being clicked/typed
> in such way which would expose users to such risk.
>
IDNA implementations process domain names using a "mapping" step which is
like a variant of NFKC_Casefold. That's why you can use uppercase as well
as other canonical and compatibility equivalents, and out-of-order
combining marks.
markus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://corp.unicode.org/mailman/private/unicode/attachments/20200519/cf8eed2a/attachment.htm>
More information about the Unicode
mailing list