Multilingual web sites: Internationalized Domain Name homograph attacks

Abstract

Homograph attacks are a very common type of security vulnerability on the Web. The attack aims to hide the domain name origin by switching some letters in the URL. As the Web evolves beyond the traditional base of English-speaking users, this kind of threat will increase significantly with the use of non-Latin scripts in the entire domain name. The recent introduction of Internationalized Domain Names (IDN) country-code Top Level Domains (ccTLDs) adaptation has made this new homograph attack possible. This paper outlines some of the possible security risks from using non-Latin scripts in the domain name, using examples drawn from Arabic, including the confusion from transforming the non-Latin scripts to ASCII compatible Encoding (ACE). The paper describes some of the existing defenses against IDN homograph attacks, such as white listing of domains and algorithmic analysis of the scripts in the URL. A preliminary design for a new client-side approach to the problem is also outlined. The approach focuses on drawing the user's attention to possible threats when browsing a non-Latin Web site. Some of the techniques being considered include Punycode generation and comparison, highlighting confusing letters (including increasing font sizes for Arabic script), and pre-fetching thumbnail images of Web pages. These solutions will not prevent the attack, but they can provide a visual defense to the user in an unobtrusive and easily adoptable manner.