Slashdot Mirror
Spoofing URLs With Unicode
Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."
how this is that important. I mean, who cares if you can register a similar address? www.yahii.com is a typo just like any other mistyped address. I am sure they get a lot of hits from it but I dont think this kind of 'hack' will be that big of a deal.
http://www.freepokerchipset.info
So, what would be the cyrillic for Slashdot.org?
It is widely used on russian-language IRC
networks like RusNet. http://www.irc.net.ru/
Sounds a bit amusing to me.... anybody have a link to the website they made to give us a demo of the displayed link?
It's time that we do away with the web as a medium to exchange information. A plain text file on an ftp server will do away with all of these hassles. Netscape 4.x need will never die.
Anyone else remember using alt+255 and other special characters to make hard to open directories (idiot proof anyway) on shared command line systems?
You were eaten by a grue.
How many people can type the cryllic letters? I'm not sure what option and control keys invoke them. It'll be fun for spoof and protest sites, but not much else.
Should I be concerned?
What is InterNic and such doing in the meantime to help prevent spoofs such as this? The Legal ramifications of this are interesting. One could also post stories with false links, that most people would never even realize weren't true.
"One example is a homograph of microsoft.com incorporating the Russian Cyrillic letters "c" and "o," which are almost indistinguishable from their Latin alphabet counterparts. The two students who registered it, Evgeniy Gabrilovich and Alex Gontmakher of the Technion-Israel Institute of Technology in Haifa did so to make a point: they suggest that a hacker could register such a name and take advantage of users' propensity to click on, rather than type in, Web links"
/ a]
Umm...[a href=http://www.foo.com]http://www.microsoft.com[
Do you think granny is looking in her Status bar?
I don't want to say no to the ads. I've seen 3 ads for stuff I was looking for. It sure beats watching Tampon ads during Star Trek.
"Derp de derp."
"Russian Cyrillic?"
The Cyrillic alphabet was developed a long time ago by a religious man (guess what his name was), because the Russian peoples he was trying to convert had no written alphabet. So it could be said that "Russian Cyrillic" is redundant. However, the cyrillic alphabet is in use by various languages today, and I seriously doubt the the "c" and "o" characters mentioned in the article are unique to the K018R charset.
'Course, I could be wrong. If someone out there is a Unicode nerd and knows different, I will bow to the higher authority.
political_news.c: warning: comparison is always true due to limited range of data type
Yet another reason why everything should run over ssl/tls. Like my grandmother always used to say "encryption good, gangrene bad."
Imagine launching a virus from this domain and calling it a "Windows Patch". All the brain dead end users look to the message properties, "oh yea it resolves to "microsoft.com" it must be legit!" Next thing you knoew bewm you're infected. The ultimate virus.
When you pay money, say with paypal.com, you always want to check the URL. Of course someone could have fake link like: "click here to pay with paypal" and then redirect you to their bogus site with the intention of stealing your passwords. But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com. But if unicode can be used to spoof the location bar then it will rope in even cautious users.
I recently received an email from a confused user who had received an email that appeared to be from Apple, and was selling Apple products using Apple logos, Apple website concepts and images, etc., but was not from Apple. He didn't sign up for the list, and though it appeared to be a legitimate Apple affiliate as far as I could tell (though perhaps one that used somewhat shaky methods to reach customers), he was confused why Apple was sending him email that he didn't ask for. It was his belief that the mail had actually come from Apple, because it looked like it was from Apple.
Non-nerds have proven to be extremely difficult to educate on the concept that "what email claims to be is not always what email is, and where it claims to come from is not always where it really came from". During the recent Klez outbreak, I even received a message from a nerd-friend saying that he thought my machine might be infected, because he received an infected message from "me". Of course it was spoofed, because I happen to be in a lot of peoples address books, but since I haven't used Windows on the desktop in over three years, it clearly didn't actually originate with my box.
Folks are just kinda thick about questioning the veracity of claims (hell, astrology still sells books and 900-number phone calls). And this could definitely be used for nasty purposes...and certainly will. Spammers will have a field day with this, because they can't help but seem 'fly by night' because they cannot establish a real brand name due to the disgusting nature of their busines. If they stand still, they'll get lynched. But if they can, even for a short time, hijack a real name that people trust, and offer up a too-good-to-be-true scam under that trusted name...well, you see where I'm going with this.
Of course, everyone here knows that unsolicited "business offers" by email are always scams run by filthy people...but my grandmother doesn't know it, nor do my parents or many of my non-nerd friends for that matter.
Just a thought. We'll see how it plays out, I reckon...
spray
Comment removed based on user account deletion
I develop applications for a DSP company, and we've recently switched to using Unicode in our products. Unicode certainly has its quirks, and this is one of the more obvious ones. I fail to see why it has been implemented so widely, without very, very rigorous testing.
Actions like the one described in this article could bring down a company, if a person tried hard enough. Of course, Microsoft could just call Verisign and ask them to remove the Cyrillic domain, with no problems. But, for a small company, it could be hell. An entire user group using the same character set to access a certain website would be sent to a different site. In a worst case scenario, anti-company propaganda might be posted on the spoofing site, and it would deter people from visiting the "real" site in the future.
The only solution I can imagine is to simply prevent the translation of characters among character sets, especially in this sort of environment.
A Russian site, such as The Moscow Times, could have its site spoofed in exactly the same manner, and everyone using the Cyrillic character set (obviously, widely used in Russia, for example) would be sent to some other site, possibly indefinitely, knowing how registrars have been acting lately. This would create havoc for the newspaper and significant hurt revenue.
Comment removed based on user account deletion
(the article uses the term "homograph")
Is there some kind of problem with this term? Or are the quotes there just because the term may be unfamiliar to some?
Wherever there's a will, there's a motorway.
When I go to the site in question, (slashcode won't let me copy cyrillic characters in links) , it just redirects me to http://www.bq--at7w373jih7xepx7om7p6zx7oq.mltbd.co m/
There are 2 kinds of people in this world: Those who write in decimal and those who don't
Hm. Is your friend a slashdotter, too by any chance? I've gotten approximately 10 klezzy's in the past 10 days from various user-of-slashdot email addresses (most of which contain slashdot's anti-spam garbungling) I've also apparently had a lot of klez sent out using a spoofed address containing the domain which I primarily use as my email address when I post to /.
/. Talk about a stupid virus--most of us don't even use windows. :p
Meethinks Klez likes getting email addresses from
-Sara
This must mean...
A) The majority of Internet users are f'ing clueless.
B) Lauren is not only the president of the unsophicated Internet users club, but also a member.
C) We must hold the Internet responsible for such irresponsibility.
At the moment these unicode domain names will not be displayed correctly by web-browsers, rather you will see a bunch of cunfusing control codes, so this threat isn't really a problem yet.
Of course, the underlying problem is that DNS is an ugly kludge which has long-outgrown itself. The administrative cost of constructing a massive global namespace is vast, and we can all see the opportunities for cyber-squatting it creates, to the detriment of the public interest.
These days I am more likely to go to Google and type in a few words, rather than try to guess the URL. The task of finding the website you are interested in should be left to the specialists (like Google and other search engines), we shouldn't try to maintain an ugly, broken, monopolistic, and expensive "first come first serve" architecture like DNS.
There is no good reason why a web user should ever need to see a URL (except perhaps momentum), any more than they need to see the HTML which makes up a document.
Yet another reason why everything should run over ssl/tls.
Who has upwards of $200 per year for an SSL certificate? AFAIK, VeriSign along with its Thawte subsidiary has a near monopoly on issuing the certificates required to run secure SSL connections.
Will I retire or break 10K?
If you're serious about typing in Russian, you don't type the control-meta-alt-whacky sequences.
You spend $15 and buy a plastic keyboard overlay, one of those little flexible jobs with the alternate characters printed on them. Change your keymapping -- they make keymap files to match the popular overlay's plastic sheets, I'm told -- and you're done.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I always thought these stories were made up until it happened to me ...
We had an external party complain that they were receiving filthy emails from the place I was working for about "male sex changes". A terrible business that.
Turns out the problem was the header had been stamped by our mail server, msexchange.corp.com.au, and was somehow showing up in her client.
Of course, one has to observe that goatse.cx has both an o and a c in it...
Yes, I know that the c is in the extension, but still...
Curmudgeon Gamer: Not happy
If you purchase something online, they usually redirect you to an https connection. The site has to go through verisign or someother certificate authority or else your browser will warn you. This is not a serious problem. :-)
While that definately doesn't solve the problem for asia/eastern europe, if most asian/eastern european hackers are targetting big capitalists and money centers, it would take some of the incentive out of it. After all they'd likely be hurting their own countries.
Now if some silly yuppie script kiddie uses this attack to screw over asia and eastern europe, I guess the russian mafia can take care of him.
I believe it would be something along the lines of .
Yep, you're right. Let's make all the grandmothers stay in their rocking chairs where they belong. The internet is for young, savvy nerds. Knitting is for old people.
Seriously, I understand your perspective, and it isn't as though I'm suggesting legislation or something stupid like that (I'm anti-government on all issues)...I'm just saying I think people will get scammed using this method. And I think it may be damaging to legitimate companies as well. This is unfortunate on two counts...it is bad for my grandmother, and yours, and it is bad for honest businesses who would never use spam marketing or pull some kind of bait-and-switch, or just plain ol' scam.
That's all...I don't have solutions. I'm just griping about the problem. Isn't that what slashdot is for, hand-wringing and griping?
What's to stop someone from going out, registering a spoof of Amazon.com, etc. and similar "trusted" e-commerce sites, and using them for scamming and spamming?
From the article:
...
But are international domain names even necessary? Kuhn, who is German, doesn't think so: "Familiarity with the ASCII repertoire and basic proficiency in entering these ASCII characters on any keyboard are the very first steps in computer literacy worldwide."
That's like saying basic numeracy is the first step for computer literacy worldwide, so we should go back to using IP addresses!
Currently email addresses and URLs are the only reason a native Chinese speaker needs to use ASCII. For someone from Germany, ASCII is pretty easy to handle, but for a lot of languages, Unicode URLs & email addresses are very necessary
If I tell you that the word "word" has four letters, I have to put it in quotes. Otherwise I'm saying that the word word has four letters, and you're left wondering what a "word word" is.
Dan Bernstein has a proposal for internationalized domain names which solves this problem and many other problems. It's called IDNC3. IDN stands for ``internationalized domain name.'' C3 stands for ``clean, careful, conservative.''
Don't piss off The Angry Economist
"...this "superior" Lunix operating system's complete lack of Unicode support..."
Try Linux. It's had Unicode for years.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
...to link to the latest Slackware distro.
I mod down anyone who uses M$ in their posts. I like to live on the edge.
1) Some people are not good at spelling, and wouldn't know microsoft.com from microssoft.com, especially if it's just seen in a few quick glances.
.biz or .info TLD does not mean it is the same company... but no doubt alot of people think that's true.
n =allyourmoneyarebelongtous
2) There are more TLDs out now, and the same name at a
3) There's always the old numeral "1" swapped for the lowercase "L" or the uppercase "I", trick, among other similar things that never involved Unicode, but rather human vision and high-resolutions.
4) The "@" symbol in the URL trick, like http:\\microsoft.com\moneyfrombil@haxor.com?actio
So if you haven't figured out my point yet, a good percentage of people that use the internet are going to be fooled by far simpler feats of social engineering. Who needs Unicode to do it?
Allo comrade.
Homograph is a real word (spelled identically, but have different meanings think fair ( just or morally right (life isn't fair), appealling appearance (fair skinned), a market place), but they are using it a new context. The occurance of using Unicode to do bad things with domains is so uncommon there is no word for it, they coined a word to make it something they could actually talk about.
In this case, they high-jacked another word that had roughly the right meaning. Homograph had a meaning long before Unicode or IE, or Microsoft existed, so the strict English definition has nothing to do with where they used it. Assuming it becomes a common enough usage, it won't rate quotes. I'm sure an expression like "surfing the 'net", and other terms that were coined started life out with quotes.
Of course, this site's name has been turned into a verb, and nobody blinks an eye. As a general rule geeks grok overloading a word quite well, so this is all me being redundent in explaining it.
Shouldn't a unicode-enabled application display a slightly different glyph (italicized or something) for a cyrillic "c" character vs. an western "c" char?
Somebody actually got a *paper* out of this?
Tree bark does not have a shell
Tree bark does not taste good with butter
Tree bark does not come from space"
-C. Seggelin
It's in quotes so as not to offend any narrow-minded pseudo-liberals who think that the "homo" part's only meaning concerns someone's sexual preference.
But he'll have to wait until they have a C64 port of Linux!
If you buy something online without using a credit card, you deserve to get scammed.
If you buy something with a credit card, not only will you get your money back (actually never lose it in the first place), but the scammers will likely go to jail.
Besides, why are you clicking on links in your spam anyway?
Even better... I seem to recall a scam that did just that with paypal. They sent out bulk mail about updating your account or something but the link was not paypa(lower case 'L').com but paypa(Capital 'I').com and had made a carbon-copy of paypal's website, hoping you would log in. The address in the location bar looks identical for both. This sounds like the same kind of thing but using Unicode to make the spoof.
I'll confirm this. Unicode characters show up brilliantly in my filesystems and webbrowser....
Comment removed based on user account deletion
My friend told me that a few years ago he was looking for a domain name to register. After some poking around he discovered that microsoft.net was up for grabs. He then proceeded to go to his dad to ask for the $10-$15 (don't remember the exact amount) he needed to register the domain, needless to say his dad refused!!
I stole this Sig
Ok, first take microsoft.com (alternate spelling), name your mail gateways identitcal to microsoft's, and then send out emails (as balmer@microsoft.com?) to a lot of MS employees, telling them to remove IE from XP ..
;-)
From there on, it only gets better and better. Think of the countries you would be able to influance, technology developement you could steer, and leaked memo's you could fabricate..
Damn i wish i had thought of it
Avs are up 3 games to 2.
HAHA, your precious wings got their asses kicked (again)...
Forsberg 0wnZ J00!!
What the HELL are you doing posting this!?
This is a LINUX advocacy site. Linux users don't use deodorant, take showers, shave, or any other grooming.
My God, man. Are you new here or just thick-headed?
Interesting. I wouldn't have guessed that name servers would be so dumb as to accept anything other than [a-z0-9]
One way to control this would be to restrict the valid characters based on the TLD.
...
.com/.org./.net as ASCII, although they are meant to be global they are based on the Latin character set.
So for example '.uk'/'.au'/'.us' etc. can ONLY have ASCII 2nd level domains. '.de' Can only have German characters, '.fr' only French, and so on
Then for completely different character sets, you have new Unicode TLDs (Arabic, Greek, Chinese), which can only have their relevant characters.
I guess you leave
Of course, this adds complexity - but you can do all the testing for validity when the domain is registered (i.e. a web client can request any URL, but dodgy mixed character set domain names cannot be registered).
It's impossible to prove that someone hasn't inserted themselves in between you and the server, giving you a bogus cert, and pretending to be you to the server.
This is the reason for trusted signatures on certs.
Hit google for "man in the middle attack" if you want to know more.
DNA just wants to be free...
nns.ru (russian language), if anyone is curious. i did a lot of reading off of there back when i was taking russian in school. it's still fun to look through to find a picture that matches up with something off of, say, dailynew's reuters or AP wire feeds, feed the russian text through the Fish and get a feel for how the russian press and the "western" press are looking at the same event... one thing that was markedly different as I recall was the dimitri sklyarov DMCA case, they were PISSED about that... (and rightfully so, imho, just like americans would be pissed if an american got arrested in china for speaking about democracy)
Ah, but then you couldn't get the pictures of the cousin's sister's kids emailed every time they get an award at school. Or the forward of the forward of the quoted forward of the latest monster joke to wander the 'net.
This was discussed on RISKS some time back. They provide a link to a copy of the article.
Also, from draft-masinter-url-i18n-08:
6. Security Considerations
If IRI entry software normalizes the characters entered, but the resource names on the interpreting side are not normalized accordingly, and the interpreting software does not take this into account, there is a possibility of "spoofing". Similar possibilities turn up when interpreting software accepts URIs in various native encodings or allows accents and similar things to be ignored.
"Spoofing" means that somebody may add a resource name that looks the same or similar to the user while actually being different, or a resource name that contains the same characters, but in a different encoding. The added resource may pretend to be the real resource by looking very similar, but may contain all kinds of changes that may be difficult to spot but can cause all kinds of problems.
Conceptually, this is no different from the problems surrounding the use of case-insensitive web servers. For example, a popular web page with a mixed case name (http://big.site/PopularPage.html) might be "spoofed" by someone who obtains access to (http://big.site/popularpage.html).
However, the introduction of character normalization, of additional mappings for user convenience, and of mappings for various encodings may increase the number of spoofing possibilities. In some cases, in particular for Latin-based resource names, this is usually easy to detect because UTF-8-encoded names, when interpreted and viewed as legacy encodings, produce mostly garbage. In other cases, when concurrently used encodings have a similar structure, but there are no characters that have exactly the same encoding, detection is more difficult. A good example may be the concurrent use of Shift_JIS and EUC-JP on a Japanese server.
Administrators of large sites which allow independent users to create subareas may need to be careful that the aliasing rules do not create chances for spoofing.
The same risks exist today with ASCII domain names: transposed letters "1lI", "O0", playing tricks with "@" and most user agents.
You just must not take anything for granted which you see or read on the web.
The soviets actually changed the russian cyrillic alphabet when they came into power, dropping four characters (in the very early 1920s iirc). (They did a lot of other societal things that didn't last, such as switching to a five day week.) 'I' was replaced with 'backwards n' (sorry, no way to input cyrillic on this terminal), 'lower case b melded with a capital T' by 'E', 'almost greek nu' (i think, v-shaped) by 'backwards n', and 'greek theta' was replaced by 'greek phi' (i think). [Source material: page 8 of Scientific Russian, J. Perry, 1950 Interscience Publishing]
News for Geeks in Austin, TX
"640 Characters should be enough for anyone."
;-P
sorry, couldn't resist
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Yeah, right, and if you buy a brand new something from SEARZ and it doesn't work, let thou get burnt and buy from SEARZ no more. There's LEGAL and ILLEGAL. And scams like this aren't legal (unless you live in Pwanda or Tomalia, where they don't have scams anyway).
Disclaimer: "SEARZ", "Pwanda", "Tomalia", as used above, do not denote any real entities. Any similarities with real persons, events, locations are purely accidental and unintentional.
actually, we didnt really get our asses kicked....it went into overtime, and any true fan knows that in this series, the away team is always going to score the overtime goal
so watch out next game if it goes into overtime....there will be a game 7
BTW, FUCK THE CELTICS
I never understood what K0I8-R stood for. And why choose such a stupid name???
The name for the standard (or whatever the fuck it is) is fucking lame.
In my language, it means "testicle". But because some programs I use are developed in Russia, I have to see this shit of a name, on my screen, every day.
I have nothing agains Russian people, but for those that gave the name to "KOI8-R": FUCK YOU, FUCK YOU, FUCK YOU, FUCK YOU!
so, you're saying only those trained in using the web should feel safe using it? sounds fair, maybe we can have an online training course for using the . . . oh wait that wouldn't work would it. maybe we can have like a quasi-web software app. (like training wheels or somethng) and maybe some moderators to guide them. and then they could take a certifaction test down at the . . . the . . . what's that place where they keep all the books with information and stuff in them . . .
Sure, like PayPai.com a couple of years ago?
What, you don't think programmers are crystal deodorant using hippies too?
Doesn't anyone remember some russians spoofing paypal.com by registering paypai.com. The two domains look similar (especially with an uppercase i). They were able to steal account information by sending offical looking email to unknowing users asking them to click a link and log in, giving away their username and password. I remember Paypal using x.com for a while to prevent this.
d nn&chkpt=zdhpnews01
http://zdnet.com.com/2100-11-522401.html?legacy=z
So you're saying that, because a person is uninformed about a particular aspect of online communication, he should be immediately stripped of his right to use the internet rather than, oh, educated? You're drawing some very broad conclusions about a person's intelligence and learning ability based on his not being properly informed (by your standards) on one little issue. That is to me an offensively elitist attitude.
Scenario absurdum: You (yes, you) fall victim to an exploit of some kind, which has been published but only on forums you do not frequent. By your logic you should immediately throw your hands into the air, crying "This darn internet is just too complex for me to use! I shall give it up immediately and, furthermore, I shall forever protect this secret from my friends and family, for clearly if they can't discover it for themselves then they are idiots like me. But at least I get to be an idiot with an air of superiority about me."
Being uninformed does not equal being unable to "handle" something, and to assume so is foolish.
Wrong Ida, congressman. He's talking about Ida, not Ida Asi Apu, the young bangladeshi boy slave you keep chained to your desk for those times when you need to add your "pork barrel" to somebody's "bill". How do I know about this? Ashcroft broke down at the therapy session and told all. He won't be at your party wednesday night, of course.
I predict the cup will go to Canada this year! O Canadaa!
Yeah, that's why a couple of Israeli college students were unable to register mirsoft.com (spelled "miсrоsoft")...oh wait a minute, what were they saying again?
20 January 2017: the End of an Error.
Here it is:
/. Unicode support? foo.
http://www.miñrîsîft.com
What, no
Search first, ask questions later.
I remember the old days of spoofing using double ROT13.
anyone who really thinks a team in the east is going to beat a team on the west should be shot on the spot
... so it seems safe to say that trust is the foundation of their business. Essentially, we trust Verisign to ensure that we're communicating with whom we think we're communicating, and to protect us from various forms of spoofing. They should therefore, IMHO, actively avoid even the appearance of impropriety.
However, we all remember the Microsoft certificates they mistakenly gave out to a third party.
Now we've got them registering another domain to someone that looks just like "microsoft.com." While it's tempting to absolve Verisign of guilt in this, I think they were asking for it. After all, even I thought of this possibility when I first heard about Unicode domain names, and I'm not the sharpest knife in the drawer. You've got to think someone at Verisign raised the possibility, but they chose not to deal with it.
Again, one might be tempted to say that this isn't their problem, if not for the fact that they are in the trust business. As the article says, "Certification agencies (which include VeriSign) ensure that encoded names are not misleading and that the registration corresponds with the correct real-world entity." It should not be technically difficult, for instance, to build a set of lists of visually similar Unicode characters and to refuse to register domains visually identical to existing ones. Maybe they should decide to forgo a relatively small amount of revenue and to refuse to sully their reputation with such inevitably deceptive domain registrations, especially considering that they interfere with Verisign's core business.
Of course, none of this compares to the letters they sent out trying to fool people into switching their domains over to Verisign. The other two were negligence and foolishness, but that was an active attempt to deceive from a company that's selling trust.
It all leaves me in a bit of shock. It's not that I'm shocked to see a company doing stupid and deceitful things; it's that trust is Verisign's primary asset. Hearing about these (colossally, in my mind) stupid decisions is like hearing that GM decided to torch all its manufacturing plants and assasinate all its employees. It leaves me with two questions: "what they hell are they thinking?" and "why does anyone continue to do business with Verisign?"
Um.. easy. Just copy (gpm for consoles) the URI and type "host ", then hit the right mouse button. Press enter. Wait a second. Compare. Rejoice.
Comment removed based on user account deletion
I'm sorry, but what the he** does this have to do with the story at hand? Where are the moderators when you need them?
I don't know about you guys, but in my part of the country you always have at least one keyboard layout installed (for your locale), in most cases two (yours and English).
.Type soft.com
I can tell you for a fact, that all people using 'alternative' (as in non-ASCII) character sets always have two locales installed.
For example, in Serbia, both character sets are used - cyrillic and latin. So, to type in www.microsoft.com with cyrillic c (by the way, 'c' is 's' in cyrillic) and o, one would have to:
1. Type www.mi
2. Switch to Cyrillic
3. Type s
4. Swich to latin
5. Type r
6. Switch to Cyrilic
7. Type o
8. Swich to Latin
9
Don't think that's very likely, do you? And of course, people who use 'alternative' character sets can also quickly see if the domain is in latin or in (for example) cyrillic and switch keyboards accordingly.
The only real problem I see (which was mentioned in some other post) is with emails - someone might send you an email instructing you to click to www.microsoft.com, where you could be fooled into thinking you came to the right site.
boky
Unfortunately, it doesn't protect against 'cekc' (I can't be bothered to get type this in Cyrillic here).
This issue was also discussed in my book Secure Programming for Linux and Unix HOWTO. Look at the section on semantic attacks.
- David A. Wheeler (see my Secure Programming HOWTO)
Oh, like we'd all fall for Bill Gates giving us $10.00. Maybe $10.00 off the next Office XP^2 which might retail for $499 for an upgrade. Hmmph.
This is the EXACT reason we have certificate authorities like Verisign, and why a system using these certificates is built into common web browsers.
IT is NOT so that you can use encryption; that is a side effect engineered into the system so that they can sell more certificates.
Just because it's a technical no-brainer doesn't mean it's legal, and doens't mean it even treads on laws that have anything to do with the internet.
If you pretend to be someone else, or if someone registered an alternate lookalike domain for microsoft.com and used it to in any way whatsoever to benefit from the fact.. they'd be in deep sheep.
Here's the link to the paper:
That is, if you are interested in the dry, technical details... ;-)
Verisign's activites as a domain registrar are NOT the same thing as their CA business.
They are not required to, nor do they claim to, verify domain registrants UNLESS those registrants apply for digital certificates.
Yes, verisign are scum.. but you are barking up the wrong tree here. They are not at all requred or expected to verify domain registrars.
Hey. I wish they were. Imagine how many domains would have to be revoked? Literally millions.
My Mozilla 1.0rc3 at least, makes if very obvious the differences between L and i in opposite cases. I think its because Win2000 uses Tahoma instead of MS Sans Serif all over the place now though.
Morphing Software
Solution: Make brovsers default to displaying links to sites with non-ascii address different from regular links
Also since link display mey be overridden by style sheets, either make the browser override stylesheets for these links.
Display a warning when user follows one of these links
If this warning is displayed as a popup, if the user checks the "never show this warning again" display a text that explains why this is a bad idea
The only true way to security is to annoy your users into submission
- We are the slashdot. Resistance is futile. Prepare to be moderated -
You might have to look around, but they shouldn't cost more than $10-20, and have both english/cyrillic letters on them.
unless they run thier own servers, hosting is gonna be a little hard to get. I run a web hosting company. When a user signs up for hosting they are immediately ushered to the credit card processor, then after that it askes them what passowrd they wish to use on the system. after that the domain name, password, and other stuff are stuck into a database and an email is fired off to me to let me know someone signed up, containing the url of the page that will give me the details. anyway, i open up an ssh session to the server and start setting it up. when i enter the domain name into the httpd.conf i am not typing in cyrillic. I simply fire up vi, and type the domain name in there using regular latin characters. Same when I set up the DNS zone files, email, and other such stuff. Sure they can get the domain name there, but actually getting the page to show up is another matter all together. I believe even russian ISPs would assume the letters were latin characters and not thier cyrillic counterparts if they are used to spell english words (as in known company names to be used in some sort of scam)
The root certificate won't be built in to IE, of course, so the first time the user clicks on the link, IE will ask him if he wants to accept it. To which the answer will be "Of course I do, dummy, or I wouldn't have clicked on that link! Honestly, IE missing out one of the Microsoft root certs: typical MS incompetence".
Or, more simply, "Help, a dlg box has popped up, which button do I press to get to the site?".
Either way, you can spend the rest of your life after that inventing ever more interesting spoof domain names...
Read the article this is ontopic
I use roll-on. Where does it land?
I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII? Just about every country where English is not the native language, English is taught to their school children from early on.
The internet has shrunk the barrier to exchange information, which has made diverse languages even more significant of a barrier. If we use UNICODE and just let accept that everyone wants to use their own language, then the internet will end up as a group of national islands of information. Each group will surf their set of native language web sites. When you search the web, the information on that Nokia phone might not be readable by you (Babblefish isn't a solution).
Language has always been a barrier, and I hope the internet will be the tool by which that barrier is torn down; not the tool which escalates the problem.
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
Many ISPs do the whole sign up process automaticaly.
Maybe you would like to save some time as well - check out - www.rodopi.com.
Basically, the consensus in the end was that it is impossible to avoid this sort of problem as long as you have a standard that encodes characters instead of glyphs (that means that Latin "o" and Cyrillic "o" are different characters, even though they look the same).
A character set that encoded glyphs instead of characters could avoid this. However, such charsets are extremely tedious to implement. It has been tried with the Adobe glyph registry and has been found insufficient.
In practice, glyph-based character sets are unusable. The reason is that they cannot be made fully round-trip compatible with existing character sets, such as ISO 8859 or the Windows codepages, because these legacy character sets encode characters instead of glyphs. If URLs were encoded in such a glyph-based character set, it would be impossible to embed URLs in any document in a legacy character set. No URLs in e-mails.
As a result, the only solution is to have application and operating system vendors implement checks for such situations and to have URL registries reject such obvious spoofing attempts (e.g. no mixed-alphabet URLs). Since the problem is not fundamentally different from registering slashdot.org, it is not even a problem that we weren't already aware of.
There is absolutely no reason to panic.
Obviously, the problem for email/IP is not completely analogous since (in digital form) unicode is unambiguous. As stated in the article, this fact does not help for recognition and transmission of rendered characters on-screen (or in printed form).
---
Proud holder of a mensa / cafeteria card
Sending a link in an email isn't as straightforward as you make out - it would require the recipients to have Unicode enabled mail readers for them to see the link as it really is.
At the moment, this is only really supported in HTML (and even then the support is patchy).
If you are going to send out HTML, there is no real need for that level of sophistication - a link like:
http://www.microsoft.com
will fool enough people.
This is potentially more of a problem in the future for those who use large character sets regularly, and therefore support Unicode natively on their platform in things like MUAs.
+741098 insightful, YEAH microsoft sux0rs!!!!!!!!!!1111111111
Haven't they forgotten the more obvious use, which is to make people think that they are getting an email from microsoft.com/amazon.com/someothermerchant.com
w
Troll? Try offtopic, or even informative.
yeah, i really did not think of that. i prefer to do it manually instead of something doing it automatically, A) because i don't want to pay for a tool that helps me do it automatically B) I am too lazy to do one up for myself C) I use plesk server administrator on some of the servers and i don't think i want to play plesk to develop something for me since all thier php source code is encrypted.
The Homograph Attack
This is slightly tangential, but seems a good place to ask: does anyone know how to get Microsoft IME under Windows XP to use a Dvorak layout for romanji input when typing Japanese ?
For English I just use the US Dvorak input method, but when the language is set to Japanese there seems to be no way to use Dvorak other than tediously modifying the romanji->kana input table, which is clearly the wrong way to go about things.
graspee
The fact that "Microsoft" can be spoofed by replacing up to five of its letters with Cyrillic lookalikes is *not* a fault of Unicode. Unicode seeks to encode all of the world's writing systems. That there is glyphic similarity between Latin letter o, Cyrillic letter o, Greek letter omicron, and Myanmar letter wa is an accident of that cultural abundance. Bashing Unicode for this "security flaw" is, hm, shall I say, pernicious, and attacks the Good Guys, not the Bad. Michael Everson www.evertype.com
LOL! Keep up the good work!
M1cint0sh instead.
Currently email addresses and URLs are the only reason a native Chinese speaker needs to use ASCII.
Actually they are probably using ASCII on their keyboards whenever they enter ANYTHING! Unless they happen to be doing char recognition with the mouse.... which I doubt.
Interactive Visual Medical Dictionary
an off the shelf script to add said link into your bookmarks. Granted most problems that this can cause would be minorly annoying, but the potential for mischief is their. Give someone a hammer and it's guaranteed they will hit a finger sooner or later.
hôw thïs ìs thãt ïmpörtânt.
Sõrrý, cöùldn't rêsîst. Thè Dëvîl màdê më dò ît.
oh geez, i can see the creative Goatse links now.
THERE IS NO DATA. THERE IS O
Installation of an ActiveX control requires the use to "trust" the given company/URL. Seems this could be used now to make an ActiveX control look like it came from Microsoft.
DNS lookups are case-insensitive, so mucking wth capitalization in the domain name will have no effect.
I'm not questioning the existence of the scam -- only that they must have perpetrated it in a different way (such as whitehouse.com vs. whitehouse.gov), since capitalization won't make any difference.
Beyond the domain name, the rest of the URL may be case sensitive. But, you can't use that to direct someone to a completely different site.
The point of the comment is that - hold on here - I and L are different letters. Despite that, in a sans-serif font, a capital I and a lowercase L look nearly identical. (Exactly identical, depending on font) Note that most url bars on web browsers use a sans-serif font.
The real site is written as paypal.com, while the fake site was written as paypaI.com. Note that those are different - in all uppercase one is PAYPAL.COM while the other is PAYPAI.COM
http://slashdot.org/articles/00/07/21/1343231.shtm l
the reason that it fooled so many people is because
www.paypaI.com and www.paypal.com look very similar if you
a) aren't paying attention, and
b) you are using crappy fonts
Contrary to popular belief, Linux isn't always The Way(tm).
:and deltete it from there.
:boot from a linux floppy, mount the hard drive,
He's saying they used I (Capitol i) instead of l (Lowercase L) to fool people, so it was a different domain, it just appeared the same because of the similarity between I and l with some fonts.
For a good time call www.sawkie.com
The government white house site, is white.gov, and the humor site is whitehouse.org, while whitehouse.com is pr0n. Now, why wasn't the government smart enought to register all the whitehouse domain names? Oh, never mind, I think I just answered my own question.
The average literate chinese person has to know upwards of 3000 unique characters. Picking up the ~30 ascii glyphs needed to use the current internet is trifling in comparison.
Knowing a sufficient number of english words is much more difficult, but completely unnecessary for using email/DNS.
Also, I imagine if the "internet started in china", they would have included the measly 26 uppercase latin letters, as they are kanji's too. Most of the sites youd be interested in as an english speaker would stick to those anyway...
I have had numerous discussions (or better: fights) with people about this. Usually they feel the security problems can be solved without real effort (by somebody else of course), but feel what I really wanted is to discriminate against them.
It never ceases to amaze me that some people rather risk an entirely working system, like the DNS, than accept that technology cannot accomodate their personal needs that fast and that some of their personal needs may be very difficult to fulfill, and that this is not the fault of the engineers but rather a consequence of the fact that the technology they now want adapted to their needs was invented by people from another culture! If the WWW was a russian invention, of course everybody participation in it would have to learn russian language at first! Maybe even still some decades later. Now it was mostly american so it is ASCII and english. Those that cannot adapt to that should wait until their needs can be safely and cost-effectively accommodated or do the nedded extensions from thier own ressources!
But obviously many people just "want" without any willingness to contribute or invent or implement by themselves. I foresee interessting times for anybody using text-based identities, like names.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted and ignored otherwise.
I know there's an SI(metric) character for the unit modifier "micro"...Is that covered in Unicode?
Hats off to the first person who grabs THAT domain combination. (I hope it's another OSS junkie)
What's this Submit thingy do?
I remember using a diskette with a FAT editor to change my directory names to combinations of characters that were illegal in FAT, and therefore completely unopenable by normal means. ;)
That means my directory stayed until I got back to the computer no matter if the admin found them unless he reformatted the disk...
Gotta love a system where user level programs have raw access to devices.
Why don't we go back to just using IP's instead of DNS names?
Bill: "Hey Jim, I just found this awesome website!"
Jim: "Oh yeah? What's the name?"
Bill: "64.28.67.150"
Jim: "One of those easy to remember ones, eh?"
Bill: "Yep! Oh and by the way, are you Canadian?"
Jim: "Watcha talkin aboot?"
Taken to its logical conclusion, if you can't handle life (all of it?), then you shouldn't be alive.
The thing is that people do have to cope with things that they do not understand. Societal norms should be such that minimal damage is inflicted due to lack of understanding of consequences. This applies to adults as well as children and infants.
I would think a better term to coin would be "homoglyph", because that is what it is. Two different characters with the same glyph. Plus this has the advantage of not being a word already in use (to my knowledge).
This was only true in Western Christendom and then only true to a limited extent. For example, in the west, the first Christian missionaries to the British Isles translated the service books of the early Church to Gaelic and other Celtic languages. In the east, the the generally accepted practice was to use the venacular. This is why some of the oldest extent copies of the Bible are in one of the Ethiopic languages, Coptic, Syrian, etc.
The Roman canon that the liturgy could only be practiced in one of the tongues spoken by the apostles was of relatively late invention and only applied to congregations under the sole apostolic see of the west, Rome. Congregations under the apostolic sees of the east always used the venacular.
Hence it is somewhat ironic that many eastern Churches refuse to update the liturgy from being in liturgical Greek or old Slavonic into their modern equivalents.
Regards,
-l
http://www.cs.aucegypt.edu/mudawwar/publications/M ulticode_IEEEComputer97.pdf
The first time I got a Klez message, I sent a reply saying that I thought their machine was infected. I only discovered the forgery problem when I started reading up on it. That's probably what happened to your friend.
If you aren't really bothered by viruses (i.e., keep you system reasonably secure and don't use MS), then their new tricks can sneak up on you.
I think we've pushed this "anyone can grow up to be president" thing too far.
Quick! Call Adobe!
Damn those Russians messing with our alphabet!
.
Nobody who understands text data would use anything other than Unicode except for legacy handling. Using different encodings for different languages is as ridiculous today as using different encodings for English on different platforms used to be before everyone agreed to exchange data in ASCII.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
Actually, as far as I know, the main way Chinese enter text is with keyboards that have BoPoMoFo characters on them. (Scroll down the page a bit to see the BoPoMoFo part). The one Chinese keyboard I have seen did also have latin characters on the keycaps too, so they at least have exposure to latin characters. Plus, I wouldn't be surprised if there also existed a system for Chinese similar to the sometimes used Japanese system of Romaji->Kana->Kanji for input.
Or is it in reference to an record player that can only play the same record over & over?
MrHat, I've missed you. I had started to think I was unworthy of your limericks.
Tell me the truth though, is it, or is it not incredibly sad, that nearly every topic/conversation on this site can be reduced to a 5 line poem? It tells the lie of just how shallow most of this is...
...but it will have to be part of the solution.
The problem is the diversity of characters used by people around the world, regardless of how they are encoded. Encoding them in anything other than Unicode would make the problem dramatically worse because no group will sit back for long and allow their language to be excluded from global naming protocols on this shared "worldwide" platform.
Having everyone share an ASCII-only system is no longer a viable option, so either everyone shares a single system that covers all languages (Unicode is the only viable option), or the system breaks up into a composite of conflicting encodings. (.com could be registered as half a dozen different byte sequences by different registrars.)
The Unicode solution is the only one that makes sense, then you have to look at rules for the use of characters. You would have to look at the rules for the use of characters even without Unicode. It's just that Unicode makes it so much simpler than the composite alternative that a solution is probably possible.
This IDNC3 proposal is a good start, but there are even more issues. People who wave their arms about the "problems of Unicode" aren't helping, though. Almost all of them are really just advocating "let's keep it simple by limiting it to the characters I need and disallowing yours", and that won't fly any longer.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
Yes, and it's a lot harder for you to write the characters needed for programming in C++ or Perl. I'd rather have my English keyboard.
HOWEVER, what I'd like best of all would be to replace the dumb keyboard (hit a key, get the character printed on the key cap) with smart input methods at the OS level (maybe keyboard driver level if you don't have a GUI).
For example, I should be able to type user-defined abbreviations and have the OS replace them with what they represent. I should be able to type "deja vu" and have the OS input dictionary automatically replace it with "déjà vu" and so on. We should be able to use the tab key for autocompletion and substitution, so if I type e/ then tap the tab key, it might replace e/ with é, and so on.
Yes, I know we have some of this functionality in unix shells like bash, some in emacs, some in word processors like MS-Word, etc. I'd like it at the OS level so that no matter what I was typing into, I would have a virtual keyboard much more powerful than my simple physical keyboard and one that I could optimize for the characters/words/phrases I needed most often.
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
I gave microsoft.com my credit card number!
Should I be even more concerned?
Baxter the Cat says: Meowmix is good.
And this fucking post was on topic. You fucking crack moderators read the article.
Crack smoke wafts through air
Humorless moderator
Why do you hate me?
AND NBSP THIS BITCH.
<a href="http://slashdot.org">Microsoft.com</a& gt;
I am glad that someone else knows the truth!
Of course, this is easy to defeat with a simple combination of backticks, ls -1 and wc.
The best way I discovered to hide the contents of a directory in unix is:
Unix is rather unhappyful trying to cd to a directory that has a / as part of its file name. Shell quoting tricks won't get you past it, since it's the kernel handling the /
Of course, you had to un-/-ify the directory every time you wanted in, but hey, the price of security...
by the looks of this I say anyone can do it, 'eh?
.com, .net, and .org domains can now be registered
SLASHDOT.ORG.SHOULD.BEESECURE.ORG
whois -h whois.crsnic.net slashdot.org
Whois Server Version 1.3
Domain names in the
with many different competing registrars. Go to http://www.internic.net
for detailed information.
SLASHDOT.ORG.SUCKS.COMPARED.TO.JIMPHILLIPS.ORG
SLASHDOT.ORG
To single out one record, look it up with "xxx", where xxx is one of the
of the records displayed above. If the records are the same, look them up
with "=xxx" to receive a full display for each record.
>>> Last update of whois database: Tue, 28 May 2002 16:51:10 EDT
"I'm a dirty white tomcat, enter my world..."
capitol? wtf?
Ha. There's a restaurant in my city that proclaims "Japanese restaurant", but the signs are filled with Korean characters. Apparently so few people can tell the difference that these people are basing their business on pretending to be Japanese :).
It is a totally legitimate domain. There is nothing WRONG with it.
It's particular uses of it that can be wrong, but not the domain itself.
And as to what you said, you, directly or indirectly, implied that Verisign should not allow domains like this to be registered because they are in the certificate authority business.
Totally different things.
I don't see the connection you are drawing.
No, bill clinton's relationship with his wife has nothing to do with his ability to govern, and I cannot *believe* that people actually think it has an effect.
Actually, what I realy think (read this carefullY) is that it's a big deal because people THINK that other people think that it has some effect, and don't want to appear different.
Whitehouse.gov can fight back against Whitehouse.com!
The new slashdotsucks.com sucks, I liked the old one (the "Adequacy" one) better. Bring it back!!!
Someone once sent an email to my yahoo account that looked just like the yahoo login message. I would have fell for it, but IE didn't auto-fill my login into their fake text field.
The Communications of the ACM article, is available online, at <http://www.csl.sri.com/users/neumann/insideris ks.html#140> (Inside Risks 140, CACM 45, 2, February 2002).
I'm using Mozilla 1.0rc2 (not 3, but...) under WinNT and they look the same. So I think your conjecture about the font change for Win2K may be the correct reason.
Check out Chad's News
So... you can't respect other people's personal decisions on spirituality? Granted, the 900-numbers are gimmicky. But why should Astrology books be discredited as non-sense? Most mature people respect other's religious beliefs.
Although Astrology isn't a religion, it is faith-based, as religion is. Is Astrology scientific? No. Niether is the Bible (etc.). You might as well have worded that sentence to say "hell, astrology, christianity, and paganism still sell books...".
All I ask is that you respect other people's personal spiritual beliefs, whether that involves Astrology, Judaism, Wicca, or what have you. An exception is when you're discussing/debating spirituality or religion, but this isn't the case.
I don't believe in Christianity, but I don't attack a Christian's personal beliefs because I don't agree with them. I expect others to respect my personal beliefs the same way.
So... you can't respect other people's personal decisions on spirituality? Granted, the 900-numbers are gimmicky. But why should Astrology books be discredited as non-sense?
So you feel it's all right to knock 900-numbers, but astrology books are something that everyone should respect, eh?
You can't just call something faith, and say that no one should say anything about it. Astrology makes certain checkable statements, which tend to found wrong. Most branchs of Christianity and Judaism make few checkable statements; belief in them is a matter of faith.
The homograph attack in Communications of the ACM 45(2) by Evgeniy Gabrilovich and Alex Gontmakher is online but access to the full text requires paid membership.