Slashdot Mirror


Spoofing URLs With Unicode

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

4 of 432 comments (clear)

  1. Our Task is Obvious by donnacha · · Score: 4, Funny


    So, what would be the cyrillic for Slashdot.org?

  2. I gave m1cr0s0ft.com my credit card number!!!! by Anonymous Coward · · Score: 4, Funny

    Should I be concerned?

  3. Re:The site by Servo5678 · · Score: 3, Funny
    Hey, that URL is infringing on my copyrights! It's similar to my business's name, Bq--at77w373jih7xepx7om7p6zx7oq Enterprises, Inc.

    Lousy cybersquatters...

  4. Think of the fun you could have with this! by chabotc · · Score: 3, Funny

    Ok, first take microsoft.com (alternate spelling), name your mail gateways identitcal to microsoft's, and then send out emails (as balmer@microsoft.com?) to a lot of MS employees, telling them to remove IE from XP ..

    From there on, it only gets better and better. Think of the countries you would be able to influance, technology developement you could steer, and leaked memo's you could fabricate..

    Damn i wish i had thought of it ;-)