At 6:21 PM -0800 2/14/05, TidBITS Editors wrote: >Don't Trust Your Eyes or URLs >----------------------------- > by Glenn Fleishman <[EMAIL PROTECTED]> > > The clever folks at the Shmoo Group, a bunch of interesting > security folks who punch holes in assumptions about what's > secure on the Internet, have discovered a simple way to fool > most browsers into believing that they've connected to a secure > Web site when they've been spoofed into connecting to a rogue > location with a different name. It's ironic, but Internet Explorer > is entirely exempt from this spoof. Opera, Safari and KHTML-based > browsers, and all Mozilla and Firefox browsers suffer from this > weakness on all platforms. > ><http://www.shmoo.com/> ><http://www.shmoo.com/idn/homograph.txt> > > In brief, the Shmoos found that a poorly implemented method > of allowing international language encoding within domain names, > called International Domain Name (IDN) support, allows a malicious > party to display what appears to be one domain name in the > Location field of a browser while connecting you to another. > Phishing scams have just become more difficult to identify. > > This exploit is made possible by a system called "punycode," > which has been widely adopted according to the Shmoo Group. > Domain names that use characters outside of unaccented Western > alphabet letters via Unicode/UTF-8 are converted into a string > of Roman letters (see Matt Neuburg's "Two Bytes of the Cherry: > Unicode and Mac OS X" for more information on Unicode). This > conversion isn't a problem, per se: it means that domain names > outside of the English character set can be used freely without > confusing browsers and can be registered using simple English > characters for backwards compatibility within the domain naming > infrastructure. > ><http://db.tidbits.com/getbits.acgi?tbser=1217> > > The flaw is twofold: first, affected browsers display whatever the > encoded version of the character is, which might look identical to > another language's character. For instance, the Shmoos use the > Russian lower-case letter A, which is encoded as "&1072;" in UTF-8 > using decimal (base 10) notation, and displays in browsers that > support IDN as a lower-case A indistinguishable from a Roman > lowercase A. > ><http://www.fileformat.info/info/unicode/char/0430/> > > The second problem leads from the first: it's possible > to have a legitimate SSL (Secure Sockets Layer) digital > certificate for the punycode-based domain name. Thus, in > an example that the Schmoos posted for a while (now replaced), > you see "https://www.paypal.com/"; in your browser URL field, > and the SSL signals are all there - you get no warnings, the > lock icon is present, and Firefox's Security tab in the Page > Info window says the Web site's identity is verified. > > Click View in that same tab in Firefox, and you'll see > the full punycode name of the Web site, however, which is > "www.xn--pypal-4ve.com". Copy the URL from the Location > field and paste it into Terminal, and you'll see the encoded > version in standard UTF-8 format, too, which looks like > "www.p&1072;ypal.com". > > I don't know that there's an easy solution to this problem. > It's the result of choice by the developers of the various > browsers to display precisely what a Unicode character looks > like, which is reasonable enough. But at the same time they > use a kludgy, opaque hack in the background to map that Unicode > character to an English character to provide full backwards > compatibility with what was once a U.S.-centric domain naming > system, one that retains substantial vestiges of that history. > > If you're a Firefox user, I recommend obtaining and installing > a utility called SpoofStick, which alerts you to what is being > called "homograph" spoofing; that is, the character or glyph looks > like another, unrelated glyph. If you visit the Shmoo site with > SpoofStick installed, you get a big lovely warning. > ><http://www.corestreet.com/spoofstick/> > > Trust has gone out the window when you follow links in email or > on Web sites. There's no longer a way to be sure that the domain > name you're visiting is the one you think you are unless you check > the URL out in Terminal or have SpoofStick installed. > > Realistically, the upshot of this situation is that you must be > even more careful about following links you receive in email to > sites that ask for sensitive information. A message that purports > to be from PayPal customer service, for instance, may look right > and even use URLs that appear to connect to PayPal's site, but > could in fact be taking you to another site designed to capture > your username and password. The likelihood of falling victim to > a spoofed URL on the Web itself is less likely, assuming you start > from a site that's a relatively trusted source. When in doubt, > fall back on common sense and check the URL by pasting suspect > URLs into Terminal to see if they're concealing any unusual > Unicode characters. Hopefully we'll see browser fixes soon: > simply displaying the full punycode-based domain name alongside > its actual representation would at least highlight what's > happening behind the scenes without interfering with navigation > or Web pages.
-- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
