The HTTPS protocol is a staple of modern web communication, as it offers a high degree of security that’s sufficient for most circumstances utilizing strong TLS cryptography. But that doesn’t mean hackers have given up on HTTPS domains.
One common method of attack is called HTTPS spoofing, in which an attacker uses a domain that looks very similar to that of the target website. With this tactic, also known as “homograph attack”, the characters in the target domain are replaced with other non-ASCII characters that are very similar in appearance. The unsuspecting user is very unlikely to notice the difference and is rest assured by the browser’s secure connection indication.
To stage homographic attacks, hackers register a domain name that is similar to the target website, and also registers its SSL certificate to make it look legitimate and secure. Then they send a link to their intended victim. Since most browsers support the display of punycode hostnames in their address bar, when the user browses to the address, they won’t notice that it is a bogus version of the site they expect to visit. Their browser even shows that the website’s certificate is legitimate and secure, further making it difficult to detect the attack.
From there, while the user thinks they are interacting with a legitimate encrypted website, they have in fact fallen victim to a man-in-the-middle attack and are giving away their information to a malicious actor. Security researcher Xudong Zheng showed a proof-of-concept of this attack last year, in which he spoofed the HTTPS website of apple.com.
One of the ways to prevent HTTPS spoofing is to disable punycode display support in your browser. This will make sure that the real, encoded domain name in the address bar and warn you if you’re visiting a non-authentic website. For instance, when you visit the address in the proof-of-concept mentioned above, you’ll “see https://www.xn--80ak6aa92e.com” in your address bar instead of seeing “apple” with a Cyrillic “a.”
Another protection against homographic attacks is to use a password manager. Password managers will automatically fill in the username and address boxes of websites when you’re visiting the legitimate domain. They’re not fooled by the looks of punycode representations.