In the spring of 2017, researcher Xudong Zheng hosted a website under the domain name “apple.com”. At first glance, you might think this is the official website of giant tech company “Apple”, right? But it’s not! It is a counterfeit website that Xudong Zheng used to draw attention to the problem of fake websites.
You see, the trick to the “apple.com” website lies in the letter “a”. This “a” is normally a Latin character, however, the domain registered by Xudong Zheng replaced it with a Cyrillic character. He did this by using the Unicode of the Cyrillic “a” instead of the Latin “a”. As you can see, the two characters are virtually identical.
If it was a malicious person or organization, they could easily use this website to scam unknowing people and steal their information such as credit card numbers, passwords, etc.
But thanks to research, modern browsers have been updated to counter the problem of fake domains with a replaced character.
So how did they accomplish this? Well, a number of options have been explored by security researchers, such as:
What if we don’t mix different character sets? Well, this one is a bit complicated. Many languages such as Chinese, Korean, and Japanese use mixed character sets to encode their language characters. Therefore, they often have to mix character sets. That’s why disallowing the use of mixed character sets isn’t the best solution, although it would solve the problem to some extent.
Complete removal of Cyrillic characters from URLs: disallowing certain characters would only trade convenience for security. While this would solve the problems of a specific language not using these extra characters, people who use them would suffer. For example, if you forbid all Japanese characters, because they are not used in English, how would Japanese people have access to these sites?
Disallowing URLs outside of users’ preferred languages: This would certainly work, as annoying as that might be. Yes, the user will need to add the website they are trying to access to their preferred languages before opening it. But this begets the problem of poor user experience.
Show a warning if a website looks suspicious: Checking the integrity of a website involves many steps that we won’t cover in this article. But if the website looks suspicious, the user will get a warning that the website they are trying to access might be fake. It’s a step in the right direction but not completely sure.
These solutions were a little different from what modern browsers have ended up doing.
Eventually, browsers such as Google and Firefox started detecting these counterfeit websites. Once they noticed a suspicious website, they posted the URL in the form on Punycode. For example, google.com would appear as xn--googl-fsa.com. Along with this, they also displayed a warning to anyone who visits this domain. In the disclaimer, they will also link to the genuine website to avoid confusion.
Read next: In the spring of 2017, researcher Xudong Zheng hosted a website under the domain name “apple.com”.