Security consideration: math symbols in an exotic IP address format in a phishing mail
Phake Nick
c933103 at gmail.com
Wed May 20 10:14:21 CDT 2020
在 2020年5月20日週三 22:30,Richard Wordingham via Unicode <unicode at unicode.org>
寫道:
> On Mon, 18 May 2020 22:04:14 +0800
> Phake Nick via Unicode <unicode at unicode.org> wrote:
>
> > Somewhat relevant, I have previously observed that, if you
> > type/produce a link of http://www.abc.def/ghi?jk=lm , and then
> > replace symbol characters in the link with some other confusable
> > symbols, like full width punctuation and such, that link will still
> > take you to the intended address. Different browsers accept different
> > characters. Sometimes when such a link format is being posted onto
> > internet communities that restrict link sharing, such alternative
> > unicode characters formed links can bypass link restrictions in those
> > communities and potentially take unsuspecting netizens to harmful
> > websites. I don't understand why browsers would normalize links being
> > clicked/typed in such way which would expose users to such risk.
>
> Possible because it hasn't occurred to them to ban users of CJK
> scripts? Seriously, forcing users to explicitly type narrow
> punctuation may be one hurdle too far for usability by some. Not all
> user input of URLs is mere copy and paste. Sometimes one has to
> manually convert '%2F' to '/'.
>
> Calling these characters confusables misses the point that they are
> variants of ASCII characters.
>
> Richard.
As a native Chinese speaker I have never seen anyone typing URL punctuation
in full width, other than a.) to confuse URL filtering systems, or b.) on a
few archaic printed documents that are not intended to be circulated in
digital format.
Also, sometimes browsers accept not just the exact fullwidth version of the
character but also other similar characters, for example a URL like
https://ᵢ <https://i>。Ⅰ㎎Ⓤᵣ.ℂ🄾𝓶/ would also work in Chrome and take you to
imgur's site.
These characters are being described as "confusable" in UTR #36, which I
followed the usage of the term in my email.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://corp.unicode.org/mailman/private/unicode/attachments/20200520/590bfffe/attachment.htm>
More information about the Unicode
mailing list