HTTPS spoofing

HTTPS websites can’t be spoofed. But that doesn’t mean hackers can’t create websites whose domains look very similar to that of the targeted website. HTTPS spoofing, also known as homograph attacks, replace characters in the targeted site’s domain with other non-ASCII characters that are very similar in appearance. The attack exploits a feature called Punycode, a standard that enables the registration of hostnames that contain non-ASCII characters.

To stage homographic attacks, hackers register a domain name that is similar to the target website, and they also register its SSL certificate to make it look legitimate and secure. Then they send a link to their intended victim. Since most browsers support the display of punycode hostnames in their address bar, when the user browses to the address, they won’t notice that it is a bogus version of the site they expect to visit. Their browser even shows that the website’s certificate is legitimate and secure, further making it difficult to detect the attack.

From there, while the user thinks they are interacting with a legitimate encrypted website, they have in fact fallen victim to a man-in-the-middle attack and are giving away their information to a malicious actor. Security researcher Xudong Zheng showed a proof-of-concept of this attack last year, in which he spoofed the HTTPS website of

One of the ways to prevent HTTPS spoofing is to disable punycode display support in your browser. This will make sure that the real, encoded domain name in the address bar and warn you if you’re visiting a non-authentic website. For instance, when you visit the address in the proof-of-concept mentioned above, you’ll “see” in your address bar instead of seeing “apple” with a Cyrillic “a.”

Another protection against homographic attacks is to use a password manager. Password managers will automatically fill in the username and address boxes of websites when you’re visiting the legitimate domain. They’re not fooled by the looks of punycode representations.