2

"IDN Homograph Attacks Protection" breaking Norwegian domains

We use æøå in addition to a-z here, generally best practice for most sites is picking up both the real and "substituted" version and redirecting one to the other. However, NextDNS wants to block stuff like "lovløs.no/lovlos.no", which seems like a bit of an oversight at best. I've just turned the protection off, but considering it offers absolutely zero protection except kinda breaking for an entire country in these cases, it would be nice if it can be fixed.

10 replies

null
    • NextDNs
    • 3 yrs ago
    • Reported - view

    We only block if the IDN version points to a different target than the non IDN version. For some reason, this website is using different IPs which triggers the protection.

      • r_l
      • 3 yrs ago
      • Reported - view

      NextDNS I'd have to dig around for examples, but this has absolutely come up several times before too. If someone uses a redirect service of some kind (Very common, people just set the redirect in their registrar admin panel and let them handle it.), it probably shouldn't just hard block that? This is a very common use case here :).

      Really, I'd argue o/ø and a/å should just be excluded under .no, considering there is nothing homograph-y about those here. (Probably also .dk)

      • NextDNs
      • 3 yrs ago
      • Reported - view

      r l squatting is often done by using legitimate spelling with alternate alphabet. Allowing these would create a hole in the protection. When you have examples of false positives like that, please report them here so we can study them and improve our solution.

      • r_l
      • 3 yrs ago
      • Reported - view

      NextDNS Just from looking at my logs:
      rødt.no (Political party, fwiw. Redirects to main "roedt.no" domain)
      lovløs.no
      daufødt.no
      felleskjøpet.no

      It's pretty much standard/best practice here ( _under .no, of course_ )

    • salix.1
    • 2 wk ago
    • Reported - view

    Still an issue. I configured NextDNS today and wanted to go to a major book shop "bücher.de" and NextDNS blocked the domain. It says it's blocked by IDN homograph attack protection, but I don't understand what the homograph is supposed to be. It's a bog-standard word, and these are normal characters in German. Ü is not the same as U. Had to deactivate this blocking category.

      • NextDNs
      • 2 wk ago
      • Reported - view

       The protection aims to detect cases where the non-IDN version of a domain would be owned by a different entity. This is a common phishing technique. In cases of false positives (when the two domains belong to different entities, but it is not a phishing attempt), you can simply add the domain to your allowlist

      • salix.1
      • 2 wk ago
      • Reported - view

       Appreciate the response. What would be the two domains here? In German, the Ü would be written as UE if for some technical reason the character is not available. So the equivalent for "bücher.de" would be "buecher.de", and both of these are indeed owned by the same company and it's the same website / shop.

      If you're talking about "bucher.de", as I said, at least for Germans, the U would be a completely different character, and indeed "bucher.de" is owned by another company unrelated to "bücher.de", which makes sense: Two unrelated words (albeit admittedly similar), two unrelated entities.

      I don't think I have any issue with how you describe the IDN homograph protection works, I simply disagree what constitutes a "non-IDN version" of a domain, or rather what a homograph actually is. For me, speaking with a cultural background as a German native, Ü and U are different characters, not equivalent on any level, therefore also not homographs. As for Ü and UE, yes I see an equivalence, and actually here I would agree it might be a good idea to have an automatic protection in place in case if "bücher.de" and "buecher.de" would be owned by different entities. Many Germans would have issues differentiating these two.

      Thanks for letting me share my view on this on this forum. Have a nice day and thanks for your effort on the product.

      • Calvin_Hobbes
      • 2 wk ago
      • Reported - view

       users of nextdns are expected to have basic understanding of how to check their logs and use the available Allow list when automated blocking results in a false positive for their own use.   An exception for one user shouldn’t be expected to be an exception for all users.   

      • NextDNs
      • 2 wk ago
      • Reported - view

       accented letters are different letters in many languages, there is no debates. Nevertheless, those glyphs proximities are often used by attackers to deceive users, hence this protection. No protections are perfect or work for everyone. As said, you can either use allowlist or disable this protection if it does not work for you.

      • salix.1
      • 2 wk ago
      • Reported - view

       Appreciate the input of you all. Thanks.

Login to reply

Content aside

  • 2 Likes
  • 2 wk agoLast active
  • 10Replies
  • 129Views
  • 5 Following