Slashdot Mirror

← Back to Stories (view on slashdot.org)

Spoofing URLs With Unicode

Posted by timothy on from the there-is-a-problem-with-this-certificate dept.

Embedded Geek writes: "Scientific American has an interesting article about how a pair of students at the Technion-Israel Institute of Technology registered "microsoft.com" with Verisign, using the Russian Cyrillic letters "c" and "o". Even though it is a completely different domain, the two display identically (the article uses the term "homograph"). The work was done for a paper in the Communications of the ACM (the paper itself is not online). The article characterizes attacks using this spoof as "scary, if not entirely probable," assuming that a hacker would have to first take over a page at another site. I disagree: sending out a mail message with the URL waiting to be clicked ("Bill Gates will send you ten dollars!") is just one alternate technique. While security problems with Unicode have been noted here before, this might be a new twist."

5 of 432 comments (clear)

  1. WHY THIS IS IMPORTANT by Anonymous Coward · · Score: 5, Informative
    people seem to be missing the point in this thread. Here is why this is very important.

    When you pay money, say with paypal.com, you always want to check the URL. Of course someone could have fake link like: "click here to pay with paypal" and then redirect you to their bogus site with the intention of stealing your passwords. But it would be fairly obvious from the location bar in the broswer that the URL was not paypal.com. But if unicode can be used to spoof the location bar then it will rope in even cautious users.

  2. i know you're being funny, but... by Anonymous Coward · · Score: 5, Interesting

    I believe it would be something along the lines of .

  3. IDNC3 by Russ+Nelson · · Score: 5, Informative

    Dan Bernstein has a proposal for internationalized domain names which solves this problem and many other problems. It's called IDNC3. IDN stands for ``internationalized domain name.'' C3 stands for ``clean, careful, conservative.''

    --
    Don't piss off The Angry Economist
  4. Paper Online by AstroMage · · Score: 5, Informative
    Inspite of what the heading says, the original paper is online- you can find it on Evgeniy Gabrilovich's homepage.

    That is, if you are interested in the dry, technical details... ;-)

  5. Re:Why not stick with English? by dvdeug · · Score: 5, Insightful

    I'm trying not to sound like a lingual elite-ist by any means, but can anyone really say that we shouldn't standardize on English/ASCII?

    The 5 billion people in the world who don't have English as their native language might. Some would argue that language is a cornerstone of culture, and that when a society loses their language, they lose a significant part of their culture. I've read parts of Shakespeare in German, and was very unhappy about the destruction of the writing. I know several poets of my native tongue (Poe, in particular) would be lost completely in translation. I have no interest in condeming other people to reading the great literature of their cultures in translation.

    In any case, ASCII isn't good enough for English writing. French accents are used in English writing, as well as the ae and oe ligatures. Even in modern writing, proper quotes and apostraphes are needed, and footnote daggers often show up in English writing. For specialized work, mathematics, linguistics (even of English), historical English writing and APL all have thier own body of characters outside ASCII that need supported.