For those who use Chrome or Firefox be aware because what it may seem, it is may not! Browsers are today fundamental tools in any system. User safety is a key point, but did you know that the most popular browsers can fool you? True, imagine for example that in the address bar has the URL of your bank and the link even has https. Apparently everything is alright and we are supposed to be facing a secure website, however, in Chrome and Firefox, it may not be that way.
Punycode! But what’s the problem?
The problem is in the URL itself that although it seems legitimate is not, this is because of the Unicode characters that allow URLs with characters existing in other languages that are very similar to those we know. Both Chrome and Firefox display links with Unicode characters and not in Punycode format.
Let’s take an example
In the Wordfence site, an example is available that allows to better understand this “failure” in the browsers. For this, the domain “epic.com” was created that points to a false site (but the address looks like the original one). If we upload to this site we realize that we are not actually accessing epic.com but rather the domain https://www.xn--e1awd7f.com. However, if you want to see the demonstration of this Phishing attack then simply click here. However, this happens only in Chrome and Firefox because these two browsers do not have the address in Punycode format.
This bug affects the current versions of Chrome (57.0.2987) and also Firefox (52.0.2). In Internet Explorer and Safari there is no problem. How the problem can be solved in Firefox:-
In your address bar write ‘about:config’ without space. Look for ‘Punycode’ without the sticks. You should find a parameter titled: network.IDN_show_punycode Change the value from false to true.
Now, if you are experimenting after setting the true, when visiting the demonstration site it should look like this:-
For Google Chrome there is still no method to repair but as soon as it is available, we will report the news.
Δ
