As the old adage goes - attacks always only get better, especially computer related attacks. I consider myself a very tech savvy user - I cannot recall that I have ever fallen for a phishing attack (yet). However there were times that I almost got caught.

Today I have read an article about a new attack that tricks a user into believing they are on a certain web site - all with green SSL icons - when in fact they are on an imposter's site. Looking at the URL field of the browser will not reveal anything useful. The only way to be sure is to actually view the SSL certificate detail to see that the SSL certificate is for a different domain. Almost nobody does that... The whole point of the green SSL bar is to perform that check automatically.

This attack uses unicode encoding in URL domain names to obscure the real domain name by substituting letters for other letters that look the same. In unicode, there are more than one letter a, letter b and so on. Some browsers render them the same, making this almost impossible to spot.

This seems to only affect Firefox, Chrome and Opera users. For Chrome - update to the latest version. Firefox users can work around the issue as per the Ars article.

Scary times.