The browser catches homograph attacks, the terminal doesn't

Posted by MrBuddyCasino 3 days ago

The browser catches homograph attacks, the terminal doesn't(github.com)

80 points | 46 comments

nullifidian 1 day ago|

I would rather check urls with the following method:

  echo -e -n "https://іnstall.example-clі.dev" | python -c 'exec("""import sys, unicodedata\nfor ch in sys.stdin.read():\n  try:\n    print (ch, " ", unicodedata.name(ch))\n  except ValueError:\n    print ("codepoint ", ord(ch))\n""")'

instead of putting my trust in the hundreds of crates in this tool's Cargo.lock not having a supply chain attack.

whatisasupchain 20 hours ago|

How on Earth did something like this become the norm? I don't work with software like most here, but just opening the Cargo.lock file sets off an alarm in my brain.

After seeing how much stuff was pulled when I once installed a couple programs with cargo, I added it to the "don't touch a project if it's made with this language" pile, alongside NIM and Python (though Python I can't quite avoid).

mayhemducks 17 hours ago||

Go write a floating point package, by yourself (no AI assistance), from scratch. Then you will understand.

whatisasupchain 17 hours ago||

Sure, the decision to "offload" some components is understandable, and sometimes preferred (crypto libs, etc). We're not all masters of every field. But if you do it 200+ times I'll question what you're even trying to do.

queenkjuul 3 hours ago||

You don't; you import 3-4 libraries that do what you need, each of them imports 10-30 libraries they need, next thing you know, you've got 100 dependencies.

I don't really see the big deal--for as long as I've been using Linux, which is over 20 years now, installing many packages requires pulling in dozens of other packages, themselves perhaps composed of multiple libraries... The problem is they come from cargo and not a distro? I get the problem with the language repos being more prone to supply chain attack than distro repos, but i don't really get the impression it was ever normal to build complete apps without dependencies.

zzo38computer 1 day ago||

I use non-Unicode terminal mode (I might prefer to use a terminal emulator that does not support Unicode but you can add fonts for arbitrary character sets (of your choice, so that none are forced) instead) and program the browser to always display URLs as ASCII. So, when I copy the text to the terminal, I get "#" in place of the Cyrillic alphabets.

I think making IDN work the way it does was a mistake. I thought of making IDN with a character set specific for that use (I did think about how it would work) instead of using Unicode or any other existing character sets (none of them are suitable, as far as I am concerned; however, this new IDN character set would potentially be suitable for some other uses such as perhaps package names). Using one character set for everything is not very good, and Unicode is especially bad for this. (Although in my opinion, TRON code is generally better than Unicode, neither TRON code nor Unicode is the one to use for this)

However, there are other problems with paste in the terminal window, but bracketed paste mode can mitigate some of these problems in some cases, it is not entirely helpful.

meribold 23 hours ago||

My terminal "warns" about them thanks to using a bitmap font that has no (significant?) Unicode coverage beyond code points 0 to 255.

adzm 1 day ago||

The word tirith means guard (or watch) in Sindarin, one of Tolkien's languages from Lord of the Rings. See also Minas Tirith! I really enjoy this utility's name.

DownrightNifty 17 hours ago||

A simpler solution: examine the URL displayed in the browser window before copying terminal commands from the page. E.g. "starts with github.com" -> "trusted GitHub UI indicates the repo is the official one for this project" -> "URL points to the official project README" -> "terminal commands are most likely not malicious, and if they are, there's a bigger problem here".

Of course, more secure installation methods should be preferred, but those are not always available. I am simply comparing the provided solution to homograph attacks with another solution to the same problem.

queenkjuul 3 hours ago|

The whole point is that someone could put a Cyrillic "i" in "github" and your eyes can't tell the difference. The actual GitHub link might be real and valid and you checked; you might still hit "g[cyrillic i]thub.com" and not the real GitHub.

userbinator 1 day ago||

My terminal is set to CP437 and uses a font incapable of rendering anything else.

Then again, I don't blindly pipe directly from the network into the shell either.

zzo38computer 1 day ago|

CP437 (the PC character set) has three blank spaces (although 0x00 is probably not going to be used), so 0xFF is displayed same as 0x20 so there is still a homoglyph.

moebrowne 23 hours ago||

Weird that just 3 days ago https://github.com/makalin/preexec was released with almost exactly the same functionality written in Go.

ggm 23 hours ago||

Amusing that the chosen illustrative homograph is "i" and tirith has two...

techbrovanguard 3 days ago|

Handy! I feel like this should be built into the terminal emulator though?

derintegrative 1 day ago||

This looks to be a very specific tool to check URLs on the command line. Terminal emulators don't care about that. Even shells running in those terminal emulators don't care about those specifics because why would they. One could easily want to do something with a funny url like that that doesn't involve content fetching etc.

zzo38computer 1 day ago||

If you can disable Unicode in your terminal emulator, then it will be. (Unfortunately, that won't help if you want Unicode in your terminal emulator, though.)

More comments...