Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing URLs With Unicode

Posted by timothy on from the there-is-a-problem-with-this-certificate dept.

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

5 of 432 comments (clear)

  1. Comment removed by account_deleted · · Score: 2, Flamebait

    Comment removed based on user account deletion

  2. solution--eliminate unicode fonts by blastedtokyo · · Score: 0, Flamebait
    There's a pretty easy solution here. Just get rid of unicode fonts. They're bloated, buggy, slow down your machine and lots of people just don't need it (western europe/americas). When was the last time you felt like writing a letter in russian? While you can still link to a site, it's pretty clear when you see mi-r-s-ft.--m (where you usually get square boxees instead of dahses).

    While that definately doesn't solve the problem for asia/eastern europe, if most asian/eastern european hackers are targetting big capitalists and money centers, it would take some of the incentive out of it. After all they'd likely be hurting their own countries.

    Now if some silly yuppie script kiddie uses this attack to screw over asia and eastern europe, I guess the russian mafia can take care of him.

  3. Re:DNS was, and is, an ugly kludge by NoMoreNicksLeft · · Score: 1, Flamebait

    Actually, it is insulting wannabe-elitist morons like you that are ruining Slashdot

    Christ, I must be tired to not have caught that the first time round.

    Actually, it's strange that you say that I'm ruining it for you, rather than the other way around. Let me explain. The internet is a big shit hole, but it didn't use to be that way. Then people like you arrived, with much bleeting and moo'ing, shepherded here by marketdroids and buzzwordologists. And things keep getting worse. Why? Because you came here, never bothering to learn the rules, and then wondering, bitching about, and crying why things don't work. If you want "content" served up to you with 0.0 effort, go watch TV. They waste untold millions figuring out what lazy idiots like to watch, and all for free! No browsers or anything, just a remote control.

  4. Re:DNS was, and is, an ugly kludge by sql*kitten · · Score: 1, Flamebait

    Actually, it's strange that you say that I'm ruining it for you, rather than the other way around. Let me explain. The internet is a big shit hole, but it didn't use to be that way. Then people like you arrived, with much bleeting and moo'ing, shepherded here by marketdroids and buzzwordologists. And things keep getting worse.

    That's mighty fine talk coming from someone with a 6-digit User# :-P

  5. Re:DNS was, and is, an ugly kludge by NoMoreNicksLeft · · Score: 1, Flamebait

    Why? Because I didn't bother to register until recently? Maybe you'd like me to show you a few AC's from December '97 that look suspiciously like my writing style...

    Besides, I can show you usenet posts of mine going back to at least '88. Not exactly ancient, but just a bit older than User #1 here.