Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing URLs With Unicode

Posted by timothy on from the there-is-a-problem-with-this-certificate dept.

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

19 of 432 comments (clear)

  1. Our Task is Obvious by donnacha · · Score: 4, Funny


    So, what would be the cyrillic for Slashdot.org?

  2. Done in DOS a long time ago by aoihai · · Score: 4, Interesting

    Anyone else remember using alt+255 and other special characters to make hard to open directories (idiot proof anyway) on shared command line systems?

    --
    You were eaten by a grue.
  3. I gave m1cr0s0ft.com my credit card number!!!! by Anonymous Coward · · Score: 4, Funny

    Should I be concerned?

    1. Re:I gave m1cr0s0ft.com my credit card number!!!! by Dr.+Awktagon · · Score: 4, Insightful

      Whew, good thing you caught it in time! Don't worry, the credit card companies can take care of it, no worries, just enter your name,credit card number, social security number, and mother's maiden name at each of the following URLs:

      • AMERlCANEXPRESS.COM
      • ClTlBANK.COM
      • FlRSTUSA.COM
      • DlSCOVERCARDS.COM

      (Those all use "ell" instead of "eye" when possible.. they look exactly the same with my fonts.. Since there already "homographs" in plain ASCII, and plus Javascript mouseovers can be used to change the browser status area, and plus many people don't even fully understand the difference between "microsoft.com" and "microsoft.evil.com", this Unicode trick is nothing to worry (more) about!)

  4. WHY THIS IS IMPORTANT by Anonymous Coward · · Score: 5, Informative
    people seem to be missing the point in this thread. Here is why this is very important.

    When you pay money, say with paypal.com, you always want to check the URL. Of course someone could have fake link like: "click here to pay with paypal" and then redirect you to their bogus site with the intention of stealing your passwords. But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com. But if unicode can be used to spoof the location bar then it will rope in even cautious users.

  5. I would have thought it wasn't a problem except... by SwellJoe · · Score: 4, Informative

    I recently received an email from a confused user who had received an email that appeared to be from Apple, and was selling Apple products using Apple logos, Apple website concepts and images, etc., but was not from Apple. He didn't sign up for the list, and though it appeared to be a legitimate Apple affiliate as far as I could tell (though perhaps one that used somewhat shaky methods to reach customers), he was confused why Apple was sending him email that he didn't ask for. It was his belief that the mail had actually come from Apple, because it looked like it was from Apple.

    Non-nerds have proven to be extremely difficult to educate on the concept that "what email claims to be is not always what email is, and where it claims to come from is not always where it really came from". During the recent Klez outbreak, I even received a message from a nerd-friend saying that he thought my machine might be infected, because he received an infected message from "me". Of course it was spoofed, because I happen to be in a lot of peoples address books, but since I haven't used Windows on the desktop in over three years, it clearly didn't actually originate with my box.

    Folks are just kinda thick about questioning the veracity of claims (hell, astrology still sells books and 900-number phone calls). And this could definitely be used for nasty purposes...and certainly will. Spammers will have a field day with this, because they can't help but seem 'fly by night' because they cannot establish a real brand name due to the disgusting nature of their busines. If they stand still, they'll get lynched. But if they can, even for a short time, hijack a real name that people trust, and offer up a too-good-to-be-true scam under that trusted name...well, you see where I'm going with this.

    Of course, everyone here knows that unsolicited "business offers" by email are always scams run by filthy people...but my grandmother doesn't know it, nor do my parents or many of my non-nerd friends for that matter.

    Just a thought. We'll see how it plays out, I reckon...

  6. Unicode Environments by saveth · · Score: 4, Insightful

    I develop applications for a DSP company, and we've recently switched to using Unicode in our products. Unicode certainly has its quirks, and this is one of the more obvious ones. I fail to see why it has been implemented so widely, without very, very rigorous testing.

    Actions like the one described in this article could bring down a company, if a person tried hard enough. Of course, Microsoft could just call Verisign and ask them to remove the Cyrillic domain, with no problems. But, for a small company, it could be hell. An entire user group using the same character set to access a certain website would be sent to a different site. In a worst case scenario, anti-company propaganda might be posted on the spoofing site, and it would deter people from visiting the "real" site in the future.

    The only solution I can imagine is to simply prevent the translation of characters among character sets, especially in this sort of environment.

    A Russian site, such as The Moscow Times, could have its site spoofed in exactly the same manner, and everyone using the Cyrillic character set (obviously, widely used in Russia, for example) would be sent to some other site, possibly indefinitely, knowing how registrars have been acting lately. This would create havoc for the newspaper and significant hurt revenue.

  7. DNS was, and is, an ugly kludge by Sanity · · Score: 4, Interesting
    Amazing how many comments betray the fact that people haven't read the article.

    At the moment these unicode domain names will not be displayed correctly by web-browsers, rather you will see a bunch of cunfusing control codes, so this threat isn't really a problem yet.

    Of course, the underlying problem is that DNS is an ugly kludge which has long-outgrown itself. The administrative cost of constructing a massive global namespace is vast, and we can all see the opportunities for cyber-squatting it creates, to the detriment of the public interest.

    These days I am more likely to go to Google and type in a few words, rather than try to guess the URL. The task of finding the website you are interested in should be left to the specialists (like Google and other search engines), we shouldn't try to maintain an ugly, broken, monopolistic, and expensive "first come first serve" architecture like DNS.

    There is no good reason why a web user should ever need to see a URL (except perhaps momentum), any more than they need to see the HTML which makes up a document.

  8. Re:Terminology whine by RelliK · · Score: 4, Insightful
    The Cyrillic alphabet was developed a long time ago by a religious man (guess what his name was), because the Russian peoples he was trying to convert had no written alphabet

    That is false. Russian people had alphabet long before Cyrillic. Incidentally, that should really be proto-Russian, or Eastern Slavic since the people diverged into Russian, Ukrainian, and Belorussian much later.

    So it could be said that "Russian Cyrillic" is redundant.

    It is not. There are several "dialects" of the Cyrillic alphabet. They are mostly the same but a few letters are different. I already mentioned three of them above. There's also Bulgarian, Serbian, and I'm not sure what else.

    I seriously doubt the the "c" and "o" characters mentioned in the article are unique to the K018R charset

    The charset is called KOI8-R. Or are you using the l33t sp3lling?

    --
    ___
    If you think big enough, you'll never have to do it.
  9. i know you're being funny, but... by Anonymous Coward · · Score: 5, Interesting

    I believe it would be something along the lines of .

  10. Re:It shouldn't really be a problem. by GigsVT · · Score: 4, Informative

    Most people just blindly click OK, because it is usually OK.

    A lot of small e-business sites want to use their hosting provider's cert, but don't want the user's browser to display the hosting company's domain rather than their own. (Yes I know it's stupid, people are picky as fuck when you are making web pages).

    Anyway, that causes the browser to warn that the cert is not valid for the domain it is being used in.

    It's kinda possible to get around this using frames, but then the browser might say something about mixed secure and unsecure items on a page. The only real way to do it right is to just let the users see the hosting provider's address, as far as I know, or have the site buy their own cert.

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  11. Are international domain names even necessary? by ukryule · · Score: 4, Insightful

    From the article:

    But are international domain names even necessary? Kuhn, who is German, doesn't think so: "Familiarity with the ASCII repertoire and basic proficiency in entering these ASCII characters on any keyboard are the very first steps in computer literacy worldwide."

    That's like saying basic numeracy is the first step for computer literacy worldwide, so we should go back to using IP addresses!

    Currently email addresses and URLs are the only reason a native Chinese speaker needs to use ASCII. For someone from Germany, ASCII is pretty easy to handle, but for a lot of languages, Unicode URLs & email addresses are very necessary ...

    1. Re:Are international domain names even necessary? by plumby · · Score: 4, Insightful

      What if the Internet had started in China? Would you be happy to learn the Chinese alphabet in order to enter URLs?

  12. IDNC3 by Russ+Nelson · · Score: 5, Informative

    Dan Bernstein has a proposal for internationalized domain names which solves this problem and many other problems. It's called IDNC3. IDN stands for ``internationalized domain name.'' C3 stands for ``clean, careful, conservative.''

    --
    Don't piss off The Angry Economist
  13. Who needs a paper... this is irrelevant by wadetemp · · Score: 4, Informative

    1) Some people are not good at spelling, and wouldn't know microsoft.com from microssoft.com, especially if it's just seen in a few quick glances.

    2) There are more TLDs out now, and the same name at a .biz or .info TLD does not mean it is the same company... but no doubt alot of people think that's true.

    3) There's always the old numeral "1" swapped for the lowercase "L" or the uppercase "I", trick, among other similar things that never involved Unicode, but rather human vision and high-resolutions.

    4) The "@" symbol in the URL trick, like http:\\microsoft.com\moneyfrombil@haxor.com?action =allyourmoneyarebelongtous

    So if you haven't figured out my point yet, a good percentage of people that use the internet are going to be fooled by far simpler feats of social engineering. Who needs Unicode to do it?

  14. Re:WHY THIS IS IMPORTANT - It's already been done by JesterOne · · Score: 4, Informative

    Even better... I seem to recall a scam that did just that with paypal. They sent out bulk mail about updating your account or something but the link was not paypa(lower case 'L').com but paypa(Capital 'I').com and had made a carbon-copy of paypal's website, hoping you would log in. The address in the location bar looks identical for both. This sounds like the same kind of thing but using Unicode to make the spoof.

  15. Paper Online by AstroMage · · Score: 5, Informative
    Inspite of what the heading says, the original paper is online- you can find it on Evgeniy Gabrilovich's homepage.

    That is, if you are interested in the dry, technical details... ;-)

  16. Re:Right.. excpet.. SSL by Alan · · Score: 4, Insightful

    Isn't the point of the article that now you can go to a Verisign approved website for (unicode of some big company) and have it check out properly because there is a verisign cert for the site (unicode of some big company)?

    People now seem to be good at knowing that if you get funny pop ups about self signed certs or certificates not matching the url that they don't put in their credit card number... now suddenly that doesn't apply, because you won't get that, and the differences aren't as obvious as those for something like paypaI.com or micros0ft.com :)

  17. Re:Why not stick with English? by dvdeug · · Score: 5, Insightful

    I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII?

    The 5 billion people in the world who don't have English as their native language might. Some would argue that language is a cornerstone of culture, and that when a society loses their language, they lose a significant part of their culture. I've read parts of Shakespeare in German, and was very unhappy about the destruction of the writing. I know several poets of my native tongue (Poe, in particular) would be lost completely in translation. I have no interest in condeming other people to reading the great literature of their cultures in translation.

    In any case, ASCII isn't good enough for English writing. French accents are used in English writing, as well as the ae and oe ligatures. Even in modern writing, proper quotes and apostraphes are needed, and footnote daggers often show up in English writing. For specialized work, mathematics, linguistics (even of English), historical English writing and APL all have thier own body of characters outside ASCII that need supported.