Cilmi-baarayaasha ka Soluble hab cusub oo lagu diiwaan geliyo domains , oo la mid ah muuqaalka qaybaha kale, laakiin dhab ahaantii way ka duwan yihiin joogitaanka jilayaasha macne kala duwan. Goobo caalami ah oo la mid ah) Jaleecada hore kama duwana qaybaha shirkadaha iyo adeegyada caanka ah, taas oo u ogolaanaysa in loo isticmaalo phishing, oo ay ku jiraan helitaanka shahaadooyinka saxda ah ee TLS iyaga.
Beddelka caadiga ah ee u muuqda inuu la mid yahay IDN ayaa muddo dheer laga xannibay daalacayaasha iyo diiwaan-hayaha, taas oo ay ugu wacan tahay mamnuucidda isku-darka xarfaha alifbeetada kala duwan. Tusaale ahaan, apple.com ("xn--pple-43d.com") lama abuuri karo iyadoo lagu beddelo Laatiinka "a" (U+0061) ee Cyrillic "a" (U+0430), tan iyo markii xarfaha domainka waa la isku qasan yahay ee alifbeetada kala duwan lama ogola. 2017 waxaa jiray hab looga gudbo ilaalinta noocaas ah adiga oo isticmaalaya kaliya xuruufaha unicode ee domainka, adiga oo aan isticmaalin xuruufta Laatiinka (tusaale, adeegsiga calaamado luqadeed oo leh xarfo la mid ah Laatiinka).
Hadda waxaa la helay qaab kale oo looga gudbi karo ilaalinta, iyadoo lagu saleynayo xaqiiqda ah in diiwaan-geliyayaashu ay xannibeen isku darka Laatiinka iyo Unicode, laakiin haddii xarfaha Unicode ee lagu qeexay domainka ay ka tirsan yihiin koox ka mid ah xuruufta Laatiinka, isku-darka noocaas ah waa la oggol yahay, maaddaama jilayaasha ay leeyihiin isla alifbeetada. Dhibaatadu waxay tahay in kordhinta Waxa jira homoglyphs la mid ah qoraal ahaan jilayaasha kale ee alifbeetada Laatiinka:
calaamad"" waxay u egtahay "a", ""-"g",""- "l".
Suurtagalnimada in la diiwaan geliyo goobaha ay alifbeetada Laatiinka lagu dhex daro xuruufta Unicode ee cayiman waxaa aqoonsaday diiwangeliyaha Verisign (diwaangeliyayaasha kale lama tijaabin), subdomains ayaa laga sameeyay adeegyada Amazon, Google, Wasabi iyo DigitalOcean. Dhibaatada waxaa la ogaaday bishii Noofambar ee sannadkii hore, inkastoo ogeysiisyada la diray, saddex bilood ka dib waxaa la hagaajiyay daqiiqaddii ugu dambeysay ee Amazon iyo Verisign.
Intii lagu jiray tijaabada, cilmi-baarayaashu waxay ku kharash gareeyeen $400 si ay uga diiwaan geliyaan boggaga soo socda Verisign:
- amazon.com
- chase.com
- sɑlesforce.com
- ɑmɑil.com
- ɑppɩe.com
- ebey.com
- static.com
- Steɑmpowered.com
- theguardian.com
- theverɡe.com
- washingtonpost.com
- pɑypɑɩ.com
- wɑlmɑrt.com
- waasɑbisys.com
- yahoo.com
- cɩoudfɩare.com
- deɩ.com
- gmɑiɩ.com
- www.gooɡleapis.com
- huffinɡtonpost.com
- Instagram.com
- microsoftonɩine.com
- amazonaws.com
- roidndroid.com
- netfɩix.com
- nvidiɑ.com
- oogɩe.com
Cilmi-baarayaasha ayaa sidoo kale bilaabay si aad u hubiso xayndaabkaaga beddelka suurtagalka ah ee leh homoglyphs, oo ay ku jiraan hubinta xayndaabka hore u diiwaangashan iyo shahaadooyinka TLS ee leh magacyo isku mid ah. Dhanka shahaadooyinka HTTPS, 300 oo goobood oo leh homoglyphs ayaa lagu hubiyay diiwaanka daah-furnaanta Shahaadada, kaas oo jiilka shahaadooyinka lagu duubay 15.
daalacashada hadda Chrome iyo Firefox waxay ku soo bandhigayaan boggaga ciwaanka ciwaanka ee ku qoran horgalaha "xn--", si kastaba ha ahaatee, xiriiriyadu waxay u muuqdaan kuwo aan beddelmin, taas oo loo isticmaali karo in lagu geliyo ilaha xaasidnimada ah ama isku xirka boggaga, hoostiisa in laga soo dejiyo goobaha sharciga ah . Tusaale ahaan, mid ka mid ah xayndaabyada la aqoonsaday ee leh homoglyphs, qaybinta nooca xaasidnimo ee maktabadda jQuery waa la duubay.
Source: opennet.ru