zlacker

[return to "The browser catches homograph attacks, the terminal doesn't"]
1. Downri+dib[view] [source] 2026-02-06 15:21:18
>>MrBudd+(OP)
A simpler solution: examine the URL displayed in the browser window before copying terminal commands from the page. E.g. "starts with github.com" -> "trusted GitHub UI indicates the repo is the official one for this project" -> "URL points to the official project README" -> "terminal commands are most likely not malicious, and if they are, there's a bigger problem here".

Of course, more secure installation methods should be preferred, but those are not always available. I am simply comparing the provided solution to homograph attacks with another solution to the same problem.

◧◩
2. queenk+Ahd[view] [source] 2026-02-07 05:24:09
>>Downri+dib
The whole point is that someone could put a Cyrillic "i" in "github" and your eyes can't tell the difference. The actual GitHub link might be real and valid and you checked; you might still hit "g[cyrillic i]thub.com" and not the real GitHub.
◧◩◪
3. Downri+M9e[view] [source] 2026-02-07 16:10:33
>>queenk+Ahd
But as the title of the post says, browsers already solved this problem.

https://www.xudongz.com/blog/2017/idn-phishing/

It does make running commands from an untrusted website a little safer, which is nice. I imagine it's not uncommon to copy installation scripts from random StackOverflow comments or blog posts, for example. But that's still not safe even with this tool. Homograph attacks aside, how can you tell if a URL you're pasting into your terminal is the official source for something? It's trivial to create fake GitHub accounts or organizations.

[go to top]