It seems that a simple topic like "Why isn't a Link a Link?" would be ahhh simple... but it's more complicated and that makes it simple?
Got that?
Hmmm OK
So today's report comes an article 1 describing how your browser (Chrome, Firefox, or Opera) gets tricked into showing you an address that isn't what it looks like.
It's a curious explanation that enters another aspect of "Why isn't a Link a Link?". One that doesn't get a lot of traction because well.. it just doesn't.
Don't ask me "why"... I dunno.
So starting with the fundamentals (fundamentals are always good for you). Everything done in a computer is a series of 1 and O. Like X O but less friendly.
People Above My Pay Grade, gathered together (and still do) to decide what the 1 and 0 mean. You might think that 1 and 0 are pretty straight forward but ... WRONG!!
It's all in the way it's defined. And there's a whole lot of definitions of what 1 and 0 means. And that's what makes the internet work.
1100 might mean any of hundreds of things depending on the context where it is used.
Because it is rather hard for humans to deal with 1 and 0, I'll use the alphabet as an example.
A B C D E F G
A simple sequence - if you start at A.
ABCDEFG That's left to right, horizontal.
But if you start at the other end with G going right to left its different GFEDCBA.
If you start in the middle with D and go right it wraps around and becomes DEFGABC.
If you start in the middle and go left it's DCBAGFE.
Like playing musical scales. Infinite variations.
So, something with 110001110001000100 can mean a lot of things, depending on where you start from. So those Folks Earning The Big Bucks get together to decide where you start from in different situations.
Sounds good.
Well it's supposed to work but it doesn't.
That's because other More Clever People Than Them figure out ways to trick humans and machines into starting the sequences in the wrong place.
It's like eating a donut from the inside out... messy.
Machines are after all just dumb hunks of metal and plastic but humans on the hand are ... gullible (aka social engineering)2.
Upping the ante a bit.
The internet is international. DOHHHHHH SNOOOZE
The blog has a translator option where you can read it in just about any language for which Google has a translation engine.
So A isn't just A. In other countries they use accent marks. In some countries they have more than 26 letters in the alphabet (52 with capitals and lowercase), plus numbers 0-9 and symbols like + / - etc. and lots of other things that need to be displayed. Chinese has 300+ of these. 3
| 100 0001 | A |
| 110 0001 | a |
| 100 0010 | B |
| 110 0010 | b |
Ohhhh Ohhhh ... looks like maths...
No worries
If we shove a zero in the right spot
| 110 0001 | a | 010 0001 | ! |
| 110 0010 | b | 010 0010 | " |
a becomes a !and
b becomes a "
Easy as pie!
And that's the problem. It's easy.
So today's report is from an article 1 describing how some Clever BlockHeads trick your browser (Chrome, Firefox, or Opera) into showing you an address that isn't what it looks like.
Huh???
What it does is take an address that's created in funky sequence and the browser displays it your way.
Hold that thought....
If you are reading this in English (USA) then the characters will look "normal" to you. If you use the translator option, the text will shift to Spanish or French or whatever you select. So the browser displays what you most expect it to show you.
Getting that warm fuzzy feeling yet? Didn't think so..
So these Clever BlockHeads figured out that they can use something like
xy-nnn-zbs08ssy
and get your browser to display this as something you will recognize. I made this one up but the RealDealTrap would use a sequence that would render as a "near perfect" match to what you expect to see. Perhaps some slight shift in the font face but nothing glaring. The hook can be made from some other alphabet like Cyrillic or Chinese or Arabic.
Sort of like a computer homonym.
- row (propel with oars)
- row (argument)
- row (a linear arrangement of seating)
Except this one is purely intended to steal your information. Not that we don't just give it away or have it taken but there are still a few limits.
The issue isn't just English (USA) it can happen in any language. 3
The People Above My Pay Grade defined it to be so. They could fix it if they wanted to.
They don't.
So they won't.
There maybe a specific patch or fix for one instance of this language surfing but the same thing happens with other symbols too.
You like emoji and emoticons? Those happy faces and animated party hat icons? You like that flag flapping one? Because these can contain hidden tag-alongs too. And it's much harder to spot.
Perhaps the flag flapping one oughta flap a red flag ...
So that's today's episode of Why a Link isn't a Link...
KimB Editor
Someday a rant on: Tiny Urls or URL shortening4
References
1. https://arstechnica.co.uk/security/2017/04/chrome-firefox-and-opera-unicode-phishing/
This isn’t the apple.com you’re looking for: Chrome, Firefox, Opera users beware
Unicode slight of hand makes it hard for even savvy users to detect impostor sites.
Dan Goodin (US) - Apr 21, 2017 7:26 am UTC
2. https://en.wikipedia.org/wiki/Social_engineering_(security)
Unicode slight of hand makes it hard for even savvy users to detect impostor sites.
Dan Goodin (US) - Apr 21, 2017 7:26 am UTC
3. https://en.wikipedia.org/wiki/Unicode
https://en.wikipedia.org/wiki/Universal_Coded_Character_Set
https://en.wikipedia.org/wiki/Character_encoding
4. https://en.wikipedia.org/wiki/URL_shorteninghttps://en.wikipedia.org/wiki/Character_encoding
No comments:
Post a Comment