Our great sponsors
-
keepassxc
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
With uBO rules, I don't even see those top results.
https://github.com/gorhill/uBlock/releases/tag/1.52.2
When you're at a point where you're relying on a display name to make security-critical decisions, you've already lost.
Character substitutions like ķeepass or ƙeepass or keypass are at least possible to spot if you know the name of the product, but not the full URL.
But there are many ways to create lookalike domains that don't change the product name: https://keepass.org https://keepass.net https://keepass.info https://keepass.cx https://keepassxc.org https://keepass-info.net https://keepass-manager.com
Which of these is the correct one? (It's https://keepassxc.org of course, but just looking at the URL won't tell you that.)
The root cause is downloading software you see advertised on Google even though that does not in any way establish trustworthiness.
When you're at a point where you're relying on a display name to make security-critical decisions, you've already lost.
Character substitutions like ķeepass or ƙeepass or keypass are at least possible to spot if you know the name of the product, but not the full URL.
But there are many ways to create lookalike domains that don't change the product name: https://keepass.org https://keepass.net https://keepass.info https://keepass.cx https://keepassxc.org https://keepass-info.net https://keepass-manager.com
Which of these is the correct one? (It's https://keepassxc.org of course, but just looking at the URL won't tell you that.)
The root cause is downloading software you see advertised on Google even though that does not in any way establish trustworthiness.
The relevant parts of the Chrome IDN rules [1] seems to be detection of "mixed script confusables" and "whole script confusables".
The character ķ (U+0137) is part of the Latin script [2], so it looks like the string "ķeepass.info" won't trigger the mixed-script confusable test. I also don't see it listed in the "whole script confusable" glyphs [3]. Should it be included there?
[1] https://chromium.googlesource.com/chromium/src/+/main/docs/i...
[2] https://www.compart.com/en/unicode/U+0137
[3] https://source.chromium.org/chromium/chromium/src/+/main:com...
Related posts
- Weird behavior with Firefox & Google Sheets -
- How did you all transition to KP/pw managers? [Beginner]
- Apr 24th is JavaScript Naked Day – Browse the web without JavaScript
- Some notes on Firefox's media autoplay settings in practice as of Firefox 124
- X.org Server Clears Out Remnants for Supporting Old Compilers