Advertisement:

Author Topic: how to solve homoglyph issue?  (Read 1921 times)

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
how to solve homoglyph issue?
« on: December 05, 2018, 11:31:49 AM »
Hello,

how could I configure SMF that online ASCII or ISO-LATIN usernames are allowed?

My forum gets "attacked" by some "funny guys" that create new logins looking exactly like existing logins but some letters replaced by same looking ISO-Latin. Like cyrillic "i" instead of ASCII "i"...

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,697
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: how to solve homoglyph issue?
« Reply #1 on: December 05, 2018, 11:34:35 AM »
Exactly what version are you using? I think SMF should already screen for those by default, at least partly.
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #2 on: December 05, 2018, 11:38:25 AM »
   SMF 2.0.15

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #3 on: December 05, 2018, 11:39:16 AM »
here an example of 2 user-accounts:
$ echo "Mіau!" | od -c
0000000   M 321 226   a   u   !  \n
0000007
$ echo "Miau!" | od -c
0000000   M   i   a   u   !  \n
0000006

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #4 on: December 05, 2018, 11:40:24 AM »
You could just ban the users that do it without needing a technological solution.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #5 on: December 05, 2018, 04:26:43 PM »
You could just ban the users that do it without needing a technological solution.

get serious:
manually ban each user who does the homoglyph attack on others? - that's not a solution, that's a nightmare.

I'm pretty sure there is an out-of-box solution for this problem.

Like a admin-menu checkbox
[  ] only allow ISO-LATIN (ASCII) usernames
and then just filter all non-ISO-Latin (or ASCII) characters

Offline shawnb61

  • Developer
  • SMF Hero
  • *
  • Posts: 1,523
    • sbulen on GitHub
Re: how to solve homoglyph issue?
« Reply #6 on: December 05, 2018, 04:49:12 PM »
I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.

The remaining issues should be a small set of users who were registered before the fix, which was a while back.   

Unless I am missing something?   Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0

Or is this slightly different?
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #7 on: December 05, 2018, 05:16:20 PM »
apparently not. The forum was installed 4 months ago.
SMF 2.0.15

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #8 on: December 05, 2018, 06:56:45 PM »
There is no out of the box solution for SMF, despite your belief in such a thing.

The only possible option is to restrict characters to strict ASCII and even that isn’t idiot proof as many users confuse lowercase L with uppercase I in many fonts, along with | as well. Unless you restrict use of these too, it still has problems.

In any case if you have enough users doing this that you actually NEED to solve this with a technological solution, you’re going to have way more serious problems with moderating such troublemakers.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Aleksi "Lex" Kilpinen

  • A Peculiar Finn
  • Lead Support Specialist
  • SMF Super Hero
  • *
  • Posts: 18,697
  • Gender: Male
  • Don't worry, I'm n00b friendly
    • Aleksi.Kilpinen on Facebook
    • LexArma on GitHub
    • aleksi-kilpinen on LinkedIn
    • There's No Place Like 127.0.0.1
Re: how to solve homoglyph issue?
« Reply #9 on: December 06, 2018, 12:11:07 AM »
I seem to recall this cannot happen anymore, it's prevented in 2.0.x and 2.1.

The remaining issues should be a small set of users who were registered before the fix, which was a while back.   

Unless I am missing something?   Prior topic:
https://www.simplemachines.org/community/index.php?topic=560018.0

Or is this slightly different?
This might be slightly different in the way that this is the other way around if I'm guessing right.

Just out of curiosity, what mods are installed on the forum? Any that deal with registration?
Social logins, Tapatalk?
A Finnish Support Specialist
 Happily running multiple SMF 2.0 installations.
  Fooling around with an i7 990X @ 3,47Ghz / 12Gb / Win 10 x64 / 3840x2160


How you can help SMF

"Before you allow people access to your forum, especially in an administrative position, you must be aware that that person can seriously damage your forum.
 Therefore, you should only allow people that you trust, implicitly, to have such access." -Douglas

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #10 on: December 06, 2018, 03:13:22 AM »
You are thinking of something slightly different. There is intentional protection against white space leading and trailing, and there is protection against certain combinations by what of database collation (but that’s a happy by product, not intentional)

But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn’t English (most of the users then), and partially because the list is so huge and grows over time that it’s a surprisingly complex task.

phpBB does have protection in this department but it’s still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #11 on: December 06, 2018, 06:09:44 AM »
But homoglyphs, of similar looking letters, no. Partially because implementing it in the core as the OP suggests would basically make the software unusable for anyone whose environment isn’t English (most of the users then), and partially because the list is so huge and grows over time that it’s a surprisingly complex task.

a checkbox in the administrator's menu were new login creation is restricted to ASCII characters is a problem? - if such basic and very easy to be implemented things are a problem, the software in total seems to be the problem.

I now just hacked it into the code myself:
Sources/Subs-Members.php
if (preg_match('~^[a-zA-Z0-9 ]{1,}$~', $regOptions['username']) //....
But IMO that's not a thing users should be obliged to do just to get the forum run in a decent way.

Quote
phpBB does have protection in this department but it’s still pretty easy to get around. But the bottom line is that if you have people trolling like this, no amount of technological tools can fix a social problem.

sounds like: "we don't need spam protection since we believe that if people are spamming our forums like this, no amount of technological tools can fix the social problem of spamming"  ;-)

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #12 on: December 06, 2018, 06:14:38 AM »
Straw man argument, but I’m glad you got it resolved to your satisfaction.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Illori

  • Project Manager
  • SMF Legend
  • *
  • Posts: 51,433
Re: how to solve homoglyph issue?
« Reply #13 on: December 06, 2018, 07:32:53 AM »
we are well aware of this, but at this time see no reason to "fix" this. we also do not allow clone accounts here.

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #14 on: December 06, 2018, 07:42:22 AM »
oh - someone deleted my homoglyph "Arantоr" account and it's posting for demonstration purpose. What a pity!

So this "social problem" was solved with a.) technical measures and b.) manual work. How comes?

I can tell you why: no one likes homoglyph attacks on user accounts! Cloned users don't like it, fooled readers don't like it and most moderators (except probably at SMF forum) hate it because that creates unnecessary workload.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #15 on: December 06, 2018, 09:39:09 AM »
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Your solution also might not prevent all attacks even of the kind you talk about, actually, depending on how you configured permissions, but what would I know?

Again, this is simply not a big enough problem to actually fix in the software, based on the amount of times it’s been discussed in the years I’ve been here.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Paul2

  • Semi-Newbie
  • *
  • Posts: 10
Re: how to solve homoglyph issue?
« Reply #16 on: December 09, 2018, 12:49:49 PM »
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Allowing the administrator to restrict new account creation to ASCII usernames with a checkbox wouldn't make your software unusable for non US use. Administrators who like supporting homoglyph attacks just leave this checkbox unchecked and everything is exactly like it was before. For all others a nasty bug is fixed.


Offline shawnb61

  • Developer
  • SMF Hero
  • *
  • Posts: 1,523
    • sbulen on GitHub
Re: how to solve homoglyph issue?
« Reply #17 on: December 09, 2018, 02:33:54 PM »
If you wish to request a feature, use the feature request board:
https://www.simplemachines.org/community/index.php?board=3.0

SMF does in fact attempt to detect dupes, but only does so within the bounds of collation detection.  E.g., FredrikÖ and FredrikO and fredriko are all considered dupes and not allowed. 

As you point out, this is not extended when similar glyphs are used for completely different characters across languages. 

If you wish to code your own ASCII check, I'd start by enhancing isReservedName() in Subs-Members.php.  I don't think an ASCII check would be an acceptable long-term solution for SMF due to broad multi-language support by SMF. 

But enhancing isReservedName to better detect homoglyphs is a valid (if potentially difficult) request. 
Address the process rather than the outcome.  Then, the outcome becomes more likely.   - Fripp

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,837
    • StoryBB/StoryBB on GitHub
Re: how to solve homoglyph issue?
« Reply #18 on: December 09, 2018, 02:46:00 PM »
Except that you conveniently ignored how actually impractical your solution would be here, it would make the software unusable for people outside the US which is a surprising amount of the user base, not just here but everywhere.

Did you check people changing their name via profile? Don’t think so.

I also like how you equate the vast majority of users as “supporting homoglyph issues” just because you don’t use the same alphabet as them.
« Last Edit: December 09, 2018, 03:31:56 PM by Arantor »
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,563
  • Gender: Male
    • Kindred-999 on GitHub
Re: how to solve homoglyph issue?
« Reply #19 on: December 09, 2018, 03:29:46 PM »
It is distinctly unlikely that this sort of restriction would ever be a standard feature given that it would cripple many languages.

Again...  technical solutions to social problems are not a solution..it just moves the goalposts slightly for the offenders.

A moderator deleteing your duplicate account is not a technical solution, it’s a social solution....  account deleted and, if you had continued, penalties would have been applied, up to and including banning.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.