Wani kwaro da aka bari ya yi rajistar yankuna masu leƙan asirri tare da haruffa Unicode

Darkcrizt

4 minti

Yanar gizo mai leƙan asirri

Kwanakin baya da Masu bincike mai narkewa sun saki sabon binciken su de sabuwar hanya don yin rijistar yankuna tare da homoglyphs waccan kamar sauran yankuna ne, amma a zahiri sun bambanta saboda kasancewar haruffa tare da wata ma'ana ta daban.

Ungiyoyin ƙasashen duniya sun faɗi (IDN) na iya kallo na farko bazai banbanta ba na sanannen kamfani da yankuna sabis, yana ba ka damar amfani da su don yin ɓarna, gami da karɓar takaddun TLS daidai a gare su.

Nasarar rijistar waɗannan yankuna suna kama da yankuna daidai kuma sananne ne, kuma ana amfani dasu don aiwatar da harin injiniyan zamantakewar akan kungiyoyi.

Matt Hamilton, mai bincike a Soluble, ya gano cewa yana yiwuwa a yi rajistar yankuna da yawa matakin matakin farko (gTLD) ta amfani da yanayin haɓaka na Unicode Latin IPA (kamar ɑ da ɩ), sannan kuma ya sami damar yin rajistar waɗannan yankuna masu zuwa.

Sauya yanayin gargajiya ta wani yanki mai kama da IDN an daɗe an toshe shi a cikin masu bincike da masu rajista, saboda haramcin haɗa haruffa daga haruffa daban-daban. Misali, kamfanin karya na apple.com ("xn--pple-43d.com") ba za a iya ƙirƙirar shi ta maye gurbin Latin "a" (U + 0061) tare da Cyrillic "a" (U + 0430), tun Ba a ba da izinin haɗa ƙwararrun haruffa daga haruffa daban-daban.

A cikin 2017, an gano hanyar da za ta kewaye wannan kariya ta amfani da haruffa unicode kawai a cikin yankin, ba tare da amfani da haruffan Latin ba (misali, ta amfani da haruffan yare tare da haruffan Latin-kamar).

Yanzu an samo wata hanyar ta hanyar kariya ta kariya, bisa ga gaskiyar cewa masu rajista sun toshe cakuda Latin da Unicode, amma idan haruffan Unicode waɗanda aka ayyana a cikin yankin suna cikin rukuni na haruffan Latin, ana ba da izinin irin wannan cakudawar, tunda haruffan suna cikin harafin iri ɗaya.

Matsalar ita ce, fadada Unicode Latin IPA ya ƙunshi homoglyphs kwatankwacin rubutawa zuwa sauran haruffan Latin: alamar "ɑ" tayi kama da "a", "ɡ" - "g", "ɩ" - "l".

Ikon yin rajistar yankuna inda Latin ya haɗu tare da alamun Unicode da aka nuna an gano shi tare da mai rejista na Verisign (ba a tabbatar da wasu masu rijista ba), kuma an ƙirƙiri ƙananan yankuna a cikin sabis ɗin Amazon, Google, Wasabi da DigitalOcean.

Kodayake an gudanar da binciken ne kawai a kan gTLDs na Verisign, amma matsalar ba a kula da shi ta hanyar gwarzayen cibiyar sadarwar ba Kuma duk da sanarwar da aka aiko, bayan watanni uku, a minti na ƙarshe, an daidaita shi ne kawai a Amazon da Verisign saboda kawai su musamman sun ɗauki matsalar da mahimmanci.

Hamilton ya kiyaye rahotonsa na sirri har sai Verisign, kamfanin da ke kula da rajistar yankin don fitattun matakan yanki (gTLDs) kamar .com da .net, sun gyara matsalar.

Masu binciken sun kuma ƙaddamar da sabis na kan layi don tabbatar da yankunansu. neman hanyoyin da za a iya amfani da su tare da homoglyphs, gami da tabbatar da rajistar yankuna da aka riga aka yi rajista da takaddun TLS tare da sunaye iri ɗaya.

Game da takaddun shaida na HTTPS, ta hanyar bayanan Tabbatar da Takaddun shaida, an tabbatar da yankuna 300 tare da homoglyphs, waɗanda 15 suka yi rajista a cikin ƙarnin satifiket.

Real Chrome da Firefox masu bincike suna nuna irin waɗannan yankuna a cikin adireshin adireshin a cikin sanarwa tare da kari "xn--", amma duk da haka ana ganin yankuna ba tare da canzawa ba a cikin hanyoyin, waɗanda za a iya amfani da su don shigar da abubuwa masu haɗari ko hanyoyin shiga shafuka, a karkashin hujjar sauke su daga shafukan yanar gizo na halal.

Misali, a ɗayan yankuna da aka gano tare da homoglyphs, an rubuta yaduwar mummunan fasalin ɗakin karatun jQuery.

Yayin gwajin, masu bincike sun kashe $ 400 kuma sun yi rajistar waɗannan yankuna masu zuwa tare da Verisign:

  • amzon.com
  • shafin yanar gizo
  • sɑlesforce.com
  • mɑil.com
  • ppɩe.com
  • yanar gizo.com
  • .comstatic.com
  • sarzana.com
  • Ƙauardian.com
  • sabarin.com
  • washingtonpost.com
  • pɑypɑ.com
  • wlmɑrt.com
  • wasɑbisys.com
  • yahoo.com
  • cyanfɩare.com
  • daga.com
  • gmɑiɩ.com
  • www.gooɡleapis.com
  • huffin.com
  • Instaɡram.com
  • microsoftonɩine.com
  • mɑzonɑws.com
  • roidndroid.com
  • netfɩix.com
  • nvidiɑ.com
  • ɩoogɩe.com

Si kuna son sanin cikakken bayani game dashi game da wannan binciken, zaku iya tuntuba mahada mai zuwa.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.