Security consideration: math symbols in an exotic IP address format in a phishing mail
Richard Wordingham
richard.wordingham at ntlworld.com
Wed May 20 03:03:12 CDT 2020
On Mon, 18 May 2020 22:04:14 +0800
Phake Nick via Unicode <unicode at unicode.org> wrote:
> Somewhat relevant, I have previously observed that, if you
> type/produce a link of http://www.abc.def/ghi?jk=lm , and then
> replace symbol characters in the link with some other confusable
> symbols, like full width punctuation and such, that link will still
> take you to the intended address. Different browsers accept different
> characters. Sometimes when such a link format is being posted onto
> internet communities that restrict link sharing, such alternative
> unicode characters formed links can bypass link restrictions in those
> communities and potentially take unsuspecting netizens to harmful
> websites. I don't understand why browsers would normalize links being
> clicked/typed in such way which would expose users to such risk.
Possible because it hasn't occurred to them to ban users of CJK
scripts? Seriously, forcing users to explicitly type narrow
punctuation may be one hurdle too far for usability by some. Not all
user input of URLs is mere copy and paste. Sometimes one has to
manually convert '%2F' to '/'.
Calling these characters confusables misses the point that they are
variants of ASCII characters.
Richard.
More information about the Unicode
mailing list