Can you tell which is phishing? You can't. That's the problem with Unicode look-a-like character substitution. wordfence.com/blog/2017/04/c…

@_mwc Wow, this is dangerous. 100% identical, there is no way to differentiate the 2 by looking at the address bar.

@_mwc @josephfcox Quite easily, if using Firefox. 1) Just hovering over the padlock I can see that one of the certs is from Let's Encrypt, not from Epic.

@_mwc Glad Firefox stepped up. Fix coming @googlechrome ? I glance at the address bar a lot in order to confirm legitimacy. Ouch

@_mwc @wickett This is a browser-specific problem that can (and will!) be fixed by browser patching. 🌈

@_mwc re: Unicode mischief

@_mwc @timpastoor Brave browser handles it correctly with еріс.com

@_mwc @pwang Internet Explorer is safe!

@_mwc @ItNoM Safari to the rescue

@_mwc This will help if (window.location.hostname.includes("xn--"))alert("Phishing Alert!");

@_mwc @Vazkii One of the best bits of advice I give for phishing safety is to ALWAYS navigate to the site manually.

@_mwc @darkfelex And here how it looks like in @vivaldibrowser

@_mwc @naval Want to buy my domain? $1 million dollars! Think of all the phish you could catch! :)

@_mwc @DieKadse Works in the default Samsung browser in android 6.0.1 too. shocking!

@_mwc @JacobclResch You can, with a little bit of help :) chrome.google.com/webstore/detai…

@_mwc @hashbreaker warned us about these attacks back in 2002. cr.yp.to/djbdns/idn.html

@_mwc I briefly did a project for Microsoft that measured the similarity of all Unicode characters to ascii and checked for phishy bing domains.

@_mwc @enisozgen

@_mwc @bjschrijver This is gold. I wish chrome and firefox guys never fix it.

@_mwc URL should be hashed and mapped to a colour in the URL bar

@_mwc @naval to me this is blockchain tech's real destiny, to take over all authentication, even beyond finance applications..

@_mwc @timpastoor Luckily in FF it is easy to fix. Thanks for sharing!

@_mwc Nice demo. Is there a Mozilla ticket open yet?

@_mwc @FioraAeterna You can't just disable IDN though because that causes problems for speakers of languages with non-Latin scripts.

@_mwc @pbreault What about Edge and Safari?

@_mwc @laparisa : it's not patched yet..... :(

@_mwc Interesting... Android Twitter app browser has a different font for Unicode domains.

keyboard_arrow_left Previous keyboard_arrow_right Next

@_mwc @naval This is pretty clever... and equally scary!

@_mwc That "xn" was always a trouble maker ... wordfence.com/blog/2017/04/c…

@_mwc Seems to be fixed in chrome canary

@_mwc @aleyda The whole chrome system is fake,,,

@_mwc @naval Thank you for sharing ... nice to know!! Happy Easter!!

@_mwc Yes, a chrome extension can! ;) github.com/heliocorreia/p…

@_mwc @YourAnonNews Chrome mobile in its current state shows the actual url when you click and hold

@_mwc @martingeddes #CyberSecurity bugs created at bigger & faster rates than their fixes?

@_mwc @julian24 was ist das? 2007 oder 2017?! Dass das immer noch geht...

@_mwc Simply amazing..