An IDN homograph attack is analogous to typosquatting, another sort of domain name spoofing. Both strategies seek to fool visitors by utilizing a new domain name that is similar to an existing one, however they accomplish so in different ways. Typosquatting is registering a new domain name that differs from the existing name but utilizes the same character set. A homograph attack often employs a domain name including characters from various character sets, requiring the user to click on a hyperlink with the new name. This sort of attack is rarely successful when the domain name is entered manually since a user is unlikely to inadvertently enter a homograph.
Some domain names are suitable for typosquatting as well as homograph spoofing. A spoof that utilizes an uppercase “O” instead of the numeric “0,” for example, would be both sorts of attacks. Because these two letters are literally identical in certain fonts, the effectiveness of this form of spoof is heavily dependant on the typeface used by the computer.
Remediation
Client-Side
On the client-side, the usual method to guard against homograph attacks is to guarantee that web browsers do not support Internationalizing Domain Names in Applications (IDNA) at all, or that users may deactivate such support. This often implies that IDNs are shown in Punycode, a technique of encoding Unicode characters using the lower ASCII subset. Denying access to IDNA sites is a less popular method.
Server-Side
Server-side protection against homograph attacks are mostly based on restrictions put in place by the Internet Corporation for Assigned Names and Numbers (ICANN) (ICANN). These restrictions usually prohibit internationalized TLDs from using non-Latin characters that may lead them to resemble an existing TLD that employs Latin letters. ICANN also supports the usage of lengthier TLDs, which make it more difficult for them to be confused with existing Latin TLDs.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.