Domains are an integral part of the internet. Similar to how people write different languages using different characters or scripts, domain names can be composed of various scripts in whole or in part, and are called Internationalized Domain Names (IDN). It is possible to create labels which look similar to combining characters from different scripts. An example would be using Cyrillic “а” (U+0430) which resembles ASCII “a” (U+0061). Malicious players could abuse this factor in order to spoof domain names and trick the user. For this reason, browsers have been very careful in determining when to show the Unicode form of the characters composing an IDN or an alternative form comprising of only ASCII letters, called Punycode.

Recently, through the work of Xudong_Zheng, such an IDN homograph phishing possibility was revealed. It took advantage of a case which was not previously covered by the checks which determined how the IDN was displayed in the address field and other UI. Chromium fixed this quite quickly. As the Opera browser, since 2013, is participating in the Chromium-project, we have now merged this fix to all channels and a stable channel update of the Opera Desktop browser will be released in the coming week.

While a few demonstration websites were set up to show how this attack might work, real attacks are much less likely to appear. To use this for phishing, an attacker would need to get past a domain registrar’s checks in order to register a domain which appears to be the same as the domain name they are trying to falsify. Domain registrars are now aware of this case, and should improve their checks accordingly.

We hope this information is helpful for you. Please feel free to leave your feedback in the comment box below if you have any concerns. Browse safe.

25 April 2017 edit: The update has been released.

Back to top