Slashdot Mirror
Shmoo Group Finds Exploit For non-IE Browsers
shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.
How am I supposed to fit a pithy, relevant quote into 120 characters?
I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it. If the problem can't be fixed in the browsers, maybe email clients and websites can find some way of decoding, detecting, and disabling such links. Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?
You are in error. No-one is screaming. Thank you for your cooperation.
Serves those Internet Explorer users right! They should immediately switch to ... uh, wait. Nevermind.
I'm a big tall mofo.
This isn't per-se a browser fault, it is more of a flaw in the IDN system.
Atleast, we can bash FF instead of IE now.
Damnit... now I'm switching back.
This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.
Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.
Are they telling every man and his dog by letting tihs get on /.? If they had just released some patches for Firefox and written up some help files for people this would not mean much.
Dashboard Widgets
If you "View Source" for some weird reason the real address shows up in the title bar.
I have a theory that the truth is never told during the nine-to-five hours. - Hunter S. Thompson
I was personally there. The demonstration of the IDN spoofing at shmoocon was hands down very disturbing. This will open new possibilities for fraud and phishers unless something is done about it. I suggest browsers point out when mixed-language characters are used in URL's this may help mitigate this severe issue.
-caes
This is a good reason why we should just force all nations in the world to adopt a single language, English.
Erm of course... if I was French, I would just sed 's/English/French/' that last sentence and you wouldn't set me -1 Flaimbait.
I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.
This was a big part of the critisism around supporting larger character sets in domain names.
in an entry in Michael Kaplan's blog last month. That in turn mentions this entry which talks about spoofing filenames using a similar method.
In the future, all spacecraft will be made of cheese.
From the text:
.. eventually.
VI. Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will
Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.
Seriously, it's been known for years that adding international character sets was going to cause the problem of multiple identical (or almost identical) characters.
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
Combination - fun iPhone puzzling
Except when implemented in their own country code namespace of course.
There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.
Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.
The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.
The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.
How is this anything except nasty propaganda?
The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..
This is far less dangerous than some of the recent IE exploits. IE is simply an invitation for trouble whereas Mozilla/Firefox can still be considered secure browsers.
Since I haven't got any half-decent Cyrillic fonts installed, the "homographs" don't look remotely the same on this machine.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.
Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)
One man's -1 Flamebait is another man's +5 Funny.
This is defeated as well. Normally, you see the real domain name in Spoofstick under Firefox on Windows. As another poster stated, you do indeed briefly see the real URL in the status bar.
konkeror fails with http, but with https it warns about the certificate.
The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
IE is safer because it doesn't support a feature? Don't worry, I'm sure the plug-in will be installed with the next security update!
Taking guns away from the 99% gives the 1% 100% of the power.
"Propaganda" being anything someone says that you do not like. Mentioning IE is quite relevant. My first thought on reading such a thing is its status in regards to MSIE. Also, in case you have not heard before, MSIE has a reputation for being subject to such exploits in the past.
Don't blame Durga. I voted for Centauri.
I've confirmed that konqueror is vulnerable. Anyone know how to disable this in konqueror?
If you had super powers, would you use them for good, or for awesome?
I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.
This is not that different from "spoofing" using this address:
http://www.paypaI.com I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)
Security through inutility
Okay, so right now white is plain ascii, yellow is secure ascii. Let's add gray for plain international, and orange for secure international.
Links is unaffected - it goes to the real paypal site.
-------
Warning: Slashdot may contain traces of nuts.
Here in Mozilla there's a little diference on the "ay" of "paypal". It's so hard to a user see on the browser windows that I'm scared of IE not exploitable this time, maybe it's the time of IE developers celebrate one victory.
http://www.michel.eti.br
You should never go to an important site like a homebanking webapp by clicking on links (from Emails or unknown Webpages). Just type them into the address bar by hand or use bookmarks created by yourself.
I don't suffer from insanity, I enjoy every minute of it.
"Relevant" being whatever your first thought on reading something is, apparently. IE had nothing to do with this exploit, yet it's in both the article and the headline. The author had to weasel some way in that IE was affected too.
Face it, you guys are obsessed with Microsoft. Get lives.
This has been known for years as most /.ers know :/
Don't you think that "Shmoo Group Finds Exploit in IDN domain names" would have been more informative?
Alas, "Shmoo Group Finds Exploit For non-IE Browsers" is more likely to catch people's attention.
What a world!
The following sentence is true. The preceding sentence was false.
If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.
next:
Trolls can have a couple of days fun on slashdot.
And verisign van sell a lot of domains to phishers. (profit!)
This can apply to any time anyone says anything. However, in practice, the word "propaganda" is only used when someone does not like being said. It is similar to "rhetoric" in this regard.
Don't blame Durga. I voted for Centauri.
do you even know what a watermark is? How the hell did you hit the 100000 watermark?
in Mozilla for Mac OS9 i get p?ypal.com , pretty obvious to me. Not that I don't want to use something newer then Mozilla 1.21, just that MacOS is no longer supported. (OSX is though)
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
Mcrosoft this one is much harder to spot than the PayPal one. Unless using mono space font which nobody does on Win.
So, are people grateful that Unicode's Unified CJK has prevented thousands of similar phishing possibilities? Guess.
echo 33676832766569823265328479713269.8639857989Pq | dc
... there isn't IDN support in IE yet.
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
I think you're on the right track here.
Perhaps the best approach is to use a different font/different color for particular ranges of characters, or characters outside of one's locale setting, so e.g. if my local is Germany, and cyrillic or french accent-grave or what have you characters are loaded, then display that character in bold, or in red, or what have you. Also, tint the background of the URL pink or something, so if the offending character is scrolled off the end of the URL field, the user still gets a visual clue that something is wrong.
I'm sure there are other possibilities, like putting a little warning at the top whenever characters are in the URL that are strikingly similiar to characters in the default local OR standard ASCII, specifying what the character is and perhaps stating something like "http://spo0furl.com IS NOT THE SAME as http://spoofurl.com".
The Future of Human Evolution: Autonomy
This can apply to any time anyone says anything.
No, it can't. You're glossing over to relativize the word so that you won't be wrong -- but it's too late, you already are. "Systematic propagation" means something specific, and is directly applicable in this instance.
Comments like this worry me. We really have to be careful about letting our guard down just because Firefox is more secure. The whole point of the article is that the exploits DO exist.
/. community) love to talk about how Firefox's market share is growing quickly but then minimize potential problems. So how is this problem 'less dangerous than some IE exploits'?
On one hand, we (the
Don't get me wrong, I'm all about Firefox, but we can't get lazy.
It is certainly relevant to mention the browser that is used the overwhelming majority of the time if you are talking about browsers, even if it is just to mention that it is not affected.
Don't blame Durga. I voted for Centauri.
This brings up the amusing problem of character recognition by human and non-human intelligences. Douglas Hofstadter discusses this issue in on seeing A's and seeing As.
In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.
Two wrongs don't make a right, but three lefts do.
Actually, they didn't find anything. They demonstrated how the IDN character support could be used to trick users. A virtually identical demonstration can be found in the original paper/advisory. Thanks for the FUD, slashdot editors.
Furthermore, whether this is actually an exploit or not remains a subject of debate, as is evident from Opera's response ("It's implemented properly"). Fact remains that people can be fooled, though.
Trying the SSL link with Konqueror, it popped up an invalid certificate dialog box, which is at least some warning that all is not well.
They're what I get in my basement when the sump pump fails.
The higher the technology, the sharper that two-edged sword.
With phishing on the rise, this is a major problem. Let's hope Apple and the others can address it quickly. When you combine this problem with the ability for imposter emails to have a link that looks like an address to, for example, paypal, but that really goes to another site, the potential for phishing scams is substantial. Indeed that Mail.app (and other non-text-only mail programs, not just Apple's nor just Mac OS X) flaw ought to be recorded somewhere as a security flaw so it would be addressed. Recently I've received two fairly realistic bogus emails that purported to be from ebay and had fake URLs that led to an obviously-not-an-ebay-URL site (once you got there), but if they had taken advantage of this IDN flaw too, they could much more easily trick people into thinking it was legit.
It seems to me that the Mail.app flaw could easily be addressed by having a check to make sure that any link with anything that looks like a URL in the text of message matches with the actual link, and if it doesn't, putting up a warning when you click on it, displaying the actual URL and asking for verification that you want to visit it, noting that it may be a scam.
--- What?
Hemos, please change it now before the wrong impression is given. If IE were to have implemented this, they surely would be vulnerable too.
....porn is a whole lot less interesting using Lynx:)
Unless you're into transcripts of Penthouse Letters....then I guess it's OK:\
Ummm...what's Lynx?
It's merely a "trick".
Anyone should know better than to base their trust on being on a particular, secure web page only on the address shown in the address bar! Everyone should know that they shouldn't access secure web pages from external links.
If you write "Pope" on your forehead, do you think people will believe you're the pope? An by the way, funny that for once, the lack of a functionality actually "saves" IE, for one of the biggest security concern is ActiveX...
This will probably lose me major karma for going against groupthink, but the statement that "The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable." does seem ridiculously biased.
While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.
And, as usual, Slashdot puts a negative spin on a piece that would otherwise put Microsoft in a positive light. Come on guys, I could say that FireFox was vulnerable to VBScript security holes if someone wrote a VBScript addon for it.
Go to about:config in the address bar.
search for the property:
network.enableIDN
Change this to false as per the advisory workaround in http://www.shmoo.com/idn/homograph.txt. "V. Workaround You can disable IDN support in mozilla products by setting 'network.enableIDN' to false. There is no workaround known for Opera or Safari.
It's intentional that there are multiple glyphs that look the same, but represent different characters in Unicode. (for sorting order, spell checking, etc.)
... the different sets assigned to each language or function).
So you just need to work off of that strength, and flag when someone's mixed any two groups of characters. (I'm not sure what the official Unicode name is for them
Anyway, you start with the assumption that a domain name is going to contain only characters from one of those groups, and you report if it's otherwise. Now, there are still problems with people not looking closely, and confusing 'resume.com' with 'résumé.com' or something similar, but you'll fix the problems with identical glyphs.
The important thing to do is to not assume that ASCII is the only 'good' form, as that would make it rather english-centric (I'm not sure what other languages can map all of their characters into ASCII)
Build it, and they will come^Hplain.
Here in Scandinavia, the letters Å,Æ,Ø, are actually quite new. It is acceptable to spell them as AA, AE and OE respectively on non-scandinavian keyboards. With IDN adresses now becomming available, you constantly have to remember which spelling is used on which website. It would be a hell of a lot more practical if only the 26 alphabeth was used and software would automatically expand ingeniøren.dk to ingenioeren.dk. This way you could use whatever you want. And websites will not be too happy about using special characters, because it makes them almost impossible to reach on non-scandinavian computers.
10 ?"Hello World" life was simple then
Middle coast script kiddie con Bobsmithcon ended today and they had a nasty virus to show off... using Dimodular Intertext Macros (DIM) to compromise entire systems. Their examples use Open Office and this looks very useful for making computers explode remotely. Interesting note that it works in every OS *except* Linux (which makes this virus a lot less dangerous in the end, I suppose)." The reason Linux isn't vulnerable is because it doesn't natively support DIM; but with the right plug-in, it too is vulnerable.
every time a URI contains more than one writing system: if you've got the same URI with both Cyrillic and Latin in the domain name, pop up a question mark, and even add in (maybe by default?) a pref to disable opening URIs with multiple writing systems in the domain name.
I, honestly, fail to understand how this is a "bug" -- domain name may look like it is valid, having characters embedded in it that are from a different code page. I believe there was a story a year or more ago about spoofing of microsoft.com with first 'c' actually being Russian letter 's' that looks like latin 'c'.
Quite frankly, I always thought that IDNs is a Bad Idea: it will create more ambiguity and benefits (domain names in your own language!) are very much questionable... Do tell me how am I going to have to type in a Chinese or Japanese domain name if I don't have keyboard layout (not to mention that I amy not even know *how* to input all these gliphs...).
--AP
This is nothing new. The only new thing is that someone actually made an example showing the "feature" in use. It has been known that this is a possibility for a while, even before IDNA was introduced.
... I.e. registration of domain names in a central list, and making browsers emit warnings when accessing those sites. Would be painful to manage, though.
There's not really any way for browsers to know if a domain name is "wrong". Perhaps greylisting could work
So if this doesn't work in IE, and IE had 90%+ share of the market for all these years and no one complained about IDN not working, why not just disable it by default in other browsers? It doesn't sound like users will be breaking the doors down wondering why their beloved feature got disabled.
We as Microsoft are market leader with IE and exploits : We would gladly keep it that way !
This is the worst but I ever seen in Mozilla/firefox.
I hope that it get fixed very soon!!!!
This is why we should just stick with IBM's 8 bit extended ASCII characters.
Who needs Cyrillic when you have all those lines and stuff? And the cent symbol?
Quidquid latine dictum sit, altum sonatur.
huh?
Come on all those lynx users out there, bring on the trolling. I dare ya.
This isn't new. I've seen domains like 'cops.com' advertised on eBay, except they seller says that the 'o' or something isn't the regular O, it's some other O way out there in ASCII land, but it looks identical (for linking purposes, I suppose).
People who routinely hit sites outside of their "local setting" will get used to www.paypal.com showing up in red.
Perhaps:
The url has a pink background if the url is 100% characters outside of your locale.
The url has a right RED background if the url is composed of characters from multiple sets.
Also, put a bright red, flashing fish icon (or the phrase "possible phishing site") in the upper left (by the magic circle of dots) or somewhere on the bottom bar when a site uses questionable links (as in your spo0furl.com example).
Spoofstick is a useful tool, too. I don't know if it protects against this particular attack, but it's good for the casual browser (i.e., mom/aunt gert/the cranky old guy down the street who always asks for computer help) to help protect against phishing.
Browsers should display non-ASCII characters
in URLs / statusbar in a different colour, bold,
flashing or some other distinctive way. eg.
They could display p<font color="red">a</font>ypal.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity?
I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.
Can't that intelegence be put to good use and make software that competes with the big guys? I know you are smart, esp if you can crack that stuff. I can't, and I'm considered smart by my peers.
Please fill me in on this.
Thanks
so I wouldn't be pray to this.
i.e.
don't need the source. They edit the binary with a hex-editor.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
That's because they use HTML entities to disguise the characters. If they were really smart, they'd have used a unicode encoding like UTF-8 and used plain characters all the way. Then even the source would look normal. The whole script collision thing has been known for a long time. The only way to fix it is to restrict the sets of characters that can be used to register internationalized domain names. E.g. restrict them to characters from one script only.
"Recently I've received two fairly realistic bogus emails that purported to be from ebay and had fake URLs that led to an obviously-not-an-ebay-URL site (once you got there), but if they had taken advantage of this IDN flaw too, they could much more easily trick people into thinking it was legit."
No shit Sherlock. Way to state the obvious.
That is exactly why the story is fucking posted here.
lol, "people"?, most of us are still trying to find a browser that *understands* (read supports) HTML properly.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Because only color-blind users should be the victims of phishing scams.
And because grandma is sure to notice that one letter, in a part of the screen she doesn't usually look at, is a different color. Just tell her to check every letter of every URL she goes to.
Not that I've got a lot of better solutions. I can imagine a patch that pops up a warning for suspicious-looking URLs, but dialog boxes are lousy security.
I can definitely see elimininating IDN, but that's hardly fair to the 95% of the users in the world who aren't American.
Still, in general I should caution you about using color as an important indicator in your software design. The world is full of color-blind (and blind) users who deserve your consideration. Not only will it help them out, it'll help out your normally-sighted users who will appreciate stronger cues than color.
I'm planning on taking an airplane flight in 7 years, and am already taking classes on aeronautics, history of flight, airplane engineering, and am enrolled in the technical school for airplane building and maintenancy.^H^H
.5 ohm resistor, with a diode overlay. I'll do that as soon as I'm done casting the waterpump for my car.
Uh-oh, looks like my "delete" key stopped working again. Must need another
If you don't know what AltaVista is (was), get off my lawn.
Did I wake up in Bizarro World or something?
Is there any way to make it smaller?
Game Overdrive - Gaming News
>The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.
p.s. I use Firefox.
Although not a Linux, Windows, or Mac vulnerability, it could become one.
If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.
For a truly secure OS, you should remove all applications and just run the OS in its pure state.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Has anyone checked to see if this exploit is possible in the recent 1.0.1 builds? Presumably they contain security fixes... perhaps for this issue among whatever others exist.
This seems to be more of a bug in Unicode than in the browsers. Unicode has defined multiple character codes as having the exact same glyph. I thought we'd already run into this in Unicode with multiple long representations of the same character, decided it was a bad thing and corrected it by making any representation longer than the shortest illegal. Shouldn't we do the same thing here, and simply make it illegal to have multiple character codes appearing as the same glyph?
I don't think the average person types in URLs that much, especially not to sites they don't know or visit often. You just Google it.
However on the subject of typing: the real problem is that typing foreign characters is insanely hard in every OS out there. If you have a US keyboard, you're out of luck completely. Luckily my keyboard has 'dead' keys which allows me to put several types of accents on various letters, but it still doesn't help me with e.g. an Å.
Typically all you have is some dumb character map which you have to hunt through, and which is buried somewhere deep. That's why I wrote an IME-like app which pops up a small in-place dynamic character map with a keystroke. It allows you to select characters based on a 'base' character. See http://www.acko.net/blog/sprankle. Sure it's Windows-only and it doesn't work on apps that do weirdo stuff with keyboard input, but I blame the Win32 API. It's GPL'd though, so you are free to port it to one of the 'superior' OSes that Slashdot likes.
hitting the page with netcat shows the rather obvious buggering of the URL.
;)
GUI's are for Mac users
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Hey Sherlock - what do you suppose was the purpose of my message? Was it to report the flaw in Safari? Or was it to report the flaw in Mail.app and many other mail programs on many platforms, that in concert with the Safari/Firefox/Opera flaw makes for a heady brew, and to note one possible, and easy, fix for it? No such flaw is noted on secunia.com, in fact there is no Mail.app listing on that site at all. Perhaps it is noted elsewhere, but I haven't been able to find it. Nor do I see it mentioned in the /. article, but maybe I'm just not enough of a Sherlock to find it there?
--- What?
Unicode range U+2500 - U+257F, box drawing:. pdf
http://www.unicode.org/charts/PDF/U2500
Enjoy.
...but I have long suspected that there was a simple hack, I read about different url encoding support, and realised that a 'a' charcter can be a multitude of actual encodings, and this would allow you to register a name with the similar lexical morphology.
I thought even using small accented characters (paypal with ^ on the a's) but this obviously uses a's designed to carry an accent, but doesn't secify an accent.
There are probably hundreds more ways you can register a site that is 100% different to a computer, but 100% the same to a human.
tsk
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
We could just only show the character codes.
;)
It wasn't that long ago that ALL computer users had to (defacto) memorize the ascii character set, and be able to read it in hex or decimal. Stepping up from 7 bits to 16 (Unicode) or 24 (UTF-8 encoding of unicode) should be a big deal. Its just a few orders of magnitude. Of course, users of the latin character sets will have it easy
----- If communism is a system where the government owns business, what do you call a system where business owns govern
There is already a fix for this IDN problem in the unicode spec, if people would just use it:
Before resolving, all domain names should be normalized according to normalization form KC. (see http://www.unicode.org/unicode/reports/tr15/) Once that's done, anything that looks like an "a" really will be an "a", and not something that looks identical in Cyrillic.
That simple (SIMPLE!) step would avoid this problem, almost completely. There'd still be an issue with people using "paypál" instead of "paypal", but at least then the user has some vague chance of seeing the difference in the URL in the browser window.
It would also be good if responsible registrars refused to accept domain registrations for domains not normalized according to NFKC, but asking companies to refuse business simply because someone else would get hurt is probably not going to be effective.
IE is not affected. Also, Netscape Navigator and Mosaic are not affected.
i dont understand why
== http://www.xn--pypal-4ve.com
can someone explain.. thanks
I have the same problem with it - in fact, I uninstalled it because of that. Hopefully the guys at corestreet will make it a little more configurable in the future...
Doesn't seem to work with mine. It says www.paypal.com but the ssl one also says www.paypal.com which is actually incorrect.
... with that "every browser *except* IE" there. I tried it with lynx on Linux. Didn't work here.
I like dec2hex(184594917);
Oooh, and I'll bet you get *lots* of dec2hex(764901) with a sig like that!
As already mentioned by others, it's definitly a problem that the suggested workaround for Firefox
7 7
(setting network.enableIDN to false via about:config) doesn't work once you restart your browser (while the flag happily stays at 'false').
The Mozilla folks have picked it up however, so we can expect a fix fairly soon I think:
https://bugzilla.mozilla.org/show_bug.cgi?id=2813
AHA! This finally proves that internet explorer is a HUGE security risk and should not... erm.. oh darn!
A bad analogy is like a leaky screwdriver.
This shows the caharacter codes of the site it's attempting to load in the bottom left of the window and then pops up a message saying it cannot connect to the server.
This blog noted this encoding issue back June when the author noted it when using a Lynx browser.
I'd be very wary about putting in a flashing fish icon. Mostly because phishermen would be able to test their urls to find out if they've managed to make one that doesn't match the phishing profile.
Then users would think "well the fish didn't flash so i'll be safe".
The browser could display the address bar with an alternative background/border, as Firefox does for https.
Of course you should be aware of the change, but it preserves compatibility while adding a way to let the user know the site is probably fake (don't forget 99.9% of the sites in the world DON'T use IDN)
You honestly think this is just a "non-IE" problem?
...
IE has the same vunerability (although through a different method)
here is an article about it
I have windows 2000 with unicode support enabled. And guess what? The attack also fools IE.
It would certainly be a start, anyway.
Using Firefox 1.0 on XP, if I do "view source" it shows the correct header: "Source of: http://xn--pypal-4v3.com/"
But who does that on every page? Easier to disable IDN.
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
All the browser people have to do is run the domain name through nameprep prior to Punycode-ing it. It's not that hard - it isn't as though there aren't dozens of implementations of Unicode normalization form KC around.
I run all internet requests through DansGuardian and Squid via transparent proxy. DansGuardian caught this as a malformed URL and told me.
While the first link fools Konqueror, the second link (ssl https: connection) makes it freak out, prompting a nice warning box stating that the certificates don't match:
"The IP address of the host www.pypal.com does not match the one the certificate was issued to."
It's quite frightening that firefox (or Opera) doesn't actually sound the alarm after checking the certificates.
Hack your mind out of its sandbox.
Why not just edit spoofstick.css, to change all three font sizes to whatever you want. Change small to 9 point, for instance. Of course, it won't really decrease the size of the extra panel. The makers should put it in the status bar, like the makers of other extensions do.
This is a relatively simple and workable fix, and fails only where the normalization method has holes.
Mozilla just needs to decode the URL from punycode, normalize it, then recode it. This could probably be implemented as a transformation on the punycode URL.
Who doesn't run their internet through a proxy these days?
While my browser may be vulnerable, the page never makes it past the proxy (squid):
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.www.p%D0%B0ypal.com/
The following error was encountered:
* Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:
* Missing or incorrect access protocol (should be `http://'' or similar)
* Missing hostname
* Illegal double-escape in the URL-Path
* Illegal character in hostname; underscores are not allowed
RFC2119
Solution: Goto: http://www.mozilla.org/developer/
(no spoofing in here, just plain text ;) )
At the bottom of the page there's a section called (Nightly Builds), download the file for your OS, and it should work now (don't forget to check the setting again on about:config -> network.enableIDN)
Tried on the Windows release, and worked fine (even after browser restart) ... Good luck !!!
Can't the domain name registrars put a stop to this? There's a finite pool of ambiguous-looking letters, so it would be easy to scan each requested domain for ambiguities: "We're sorry, the domain pa0x1234ypal.com contains an ambiguity with an existing domain name. Please try again."
After all, who except a phisher would really want one of these?
I think what you mean is every modern browser other then IE. Us lynx users are safe!
ReadThe ReflectionEngine, a cyberpunk style n
hack i've ever seen.
not that i've seen that many.
[turns and pisses in the corner]
Why don't you just start typing in your URIs from now on?
Slashdot has covered this problem before.
This sig is umop apisdn.
yyyyyyyyyyyyy
And at least in GNOME, that version is extremely difficult to tell apart form the real one, and on other OS'es with better font rendering, it's identical as it should be.
If there is a bunch of state information in the url copy/paste the url into your address bar, hit "type-over" mode, and re-type the host name and you should be ok.
The designers and implementers of IDNA knew this. I implemented IDNA in ICU and ICU4J. Please see the demo [oss.software.ibm.com]. This demonstrates a way to alert the users of possible spoofing.
no, i don't understand the deep inner workings of my pharmaceuticals... but then, there isn't hordes of cracker bastards incessantly trying to steal my identity through my medicine cabinet!
also, i just wanted to point out that for once IE came out on top for being so far behind...
In Firefox anyway you can highlight the link, right click and choose View Selection Source. That will show you exactly what you are clicking on. How hard is that?
Don't just talk, donate to Mozilla/Firefox security effort!
Duh, IDN is a complicated standard, and as such, creates a lot of room for exploits.
I can't believe some of the "I thought FF was completely secure! Those Liars!" bullshit comments. As soon as non-IE browsers hit that 10% market threshold, you knew that the exploits were going to start rolling through. The same issues Windows has will start hitting Linux Desktop as soon as it hits a 10% - 15% market penetration, and is dumbed down enough with "features" that will work for the average user, who doesn't give three shits about security and just wants it to be easy to use.
Browsers and OSes are a bitch to write and develop, and are going to have security flaws no matter how much you wish they didn't. It would take an infinite amount of test time to ensure they didn't. If you want a truly secure system, do not connect it to the internet, or, trade in your machine for an abacas and a slide rule and you'll be good-to-go. This is the name of the game, not matter what you use.
Rant over
I found iCab 2.9.8 and OmniWeb 4.5 appear to be immune to the exploit. It does successfully fool Safari, Firefox and Opera, though.
I don't think this guy knows how.
-- I ignore anonymous replies to my comments and postings.
spoofstick is fooled by this exploit too it seems
Where "sees" means "displays it this way on the status line":
:)
Netscape 3.04 sees http://www.p?ypal.com/ -- looks the same in docsource
OffByOne 3.4a sees http://www.p0ypal.com/ -- looks the same in docsource
K-Meleon 0.9 sees http://www.p?ypal.com/ -- looks like http://www.pypal.com/ in docsource
IE 5.00.2314.1003 (yes, minor builds can make a *big* difference in how IE displays stuff) sees it as http://www.paypal.com/, but the "a" is about half normal size (this is at 1024x768). Docsource as IE feeds it to notepad looks like http://www.pypal.com/
Mozilla 1.5 sees it exactly the same as IE5.00 (above), including docsource
AOLpress (HTML editor with built-in browser) sees it exactly the same as OffByOne (above), including docsource
Netscape 4.50 sees http://www.p?ypal.com/ but displays http://www.pypal.com/ in docsource
Firebird 0.7 sees it exactly the same as Moz 1.5 and IE5.00 (above), including docsource
And Mosaic 0.9 can't figure out WHAT to do with the page and wants to save it to disk.
At this point, I ran out of installed browsers.
~REZ~ #43301. Who'd fake being me anyway?
I hadn't been to the site AT ALL.. applied the workaround, went to the site and it was blocked... then restarted firefox and lo and behold there i was staring at a false paypal.
anyone how how to make it stick?
-- D-23994, Muff#2613
Forgot that /. eats some stuff... the "absent" bit in the "docsource" should be
;
& # 1072
without any spaces.
[hits self with preview button]
~REZ~ #43301. Who'd fake being me anyway?
How are links like this rendered in Slashdot? Oh, from the preview it looks like they just plain break, never mind. Guess Slashcode doesn't implement this feature, either.
... it's an authentication problem
This problem is not a software bug. Sort of disabling the feature, I don't see a way of fixing the problem in the client software. I mean, I don't see a software patch (or even a standards modification) fixing the problem.
What it is, is a problem exacerbated complexity. People speak different langauges around the world, often multiple langauges. That rules out an ASCII-centric solution. Even rewriting the standards wouldn't help; the problem boils down to protecting people from tmemselves, or at least human cognition flaws.
Any solution would have to be a process solution. Specifically, the process determining that you are who you say you are. The current process for doing this is flawed for the average person. Your average person is just going to click through warnings which he or she doesn't understand.
http://www.binrev.com/forums/index.php?showtopic=1 0662
There's more info on how it works and why it works.
I'm very against the name Schmoo. There's just no way to efficiently respond to them dismissively. For instance:
"Slashdot, Schmashdot."
"Schmoo, Schmoo"
Just doesn't have the same ring to it.
I'm a big tall mofo.
You can use privoxy or any other filtering proxy to fix this for any browser. Unfortunately SSL still goes trough. For privoxy place this pattern in the {+block} section of user.action file: .xn--*.*/
This will block all of the xn-- domains until it fixed in firefox.
Alex
As I see it, it is not a bug. International Domain Names are a standatd sind a while, already. The only problem is that some unicode characters look exactly like some UTF-8 characters and because of that, people can be "cheated".
But who needs IDNs??
In Mozilla/Firefox and maybe also in Thunderbird (if you download the about:config extension) IDNs can be disabled by using the about:config thingie.
Open your Gecko based brwoser and type "about:config" (without the quotes) and hit return. Search for "network.enableIDN" (without the quotes) and set it to "false" (without the quotes).
--
Max
When you go to a secure page Firefox highlights the URL yellow.
When you go to a page with anything but ordinary ASCII characters perhaps it could highlight the URL blue, or red, or something...
455fe10422ca29c4933f95052b792ab2
Dammit, I wish I'd listen to those open-source hippies now! I now realise that the open-source model allows quick and easy patching to occur almost instantaneously, the vulnerability was only "just" discovered.
0. someone should've been paying attention when Verisign- the self-proclaimed "leeders" in Internet security- signed a code-signing certificate for Microsoft.... for someone who wasn't Microsoft.
1. people shouldn't be entering credit card or login information into a page that they clicked on from an email.
2. unicode should've been arranged by glyph similarity instead of by script family.
3. people shouldn't cry about having a domain name "in their script." - domain names are _supposed_ to be easy to type, and easy to remember. IDNs are neither to people foreign to that script, and often, neither to people even USING that script.
4. people should've been less afraid of bookmarks.
This sig donated to Pater. Long live
Take that, all you folks who like to stay on the "bleeding edge".
As noted by several others, this does not work. Spoofstick shows you as being on www.paypal.com and provides no warning of the fake site.
Not amazing, but a way to see what exactly the evil ukrainian(?) 'a' is.. paste the URL into a term or something that doesnt support those char's:
p\u0430ypal.com
Also, checking this out now on firefox on freebsd at home, it is indeed noticible to (me, a geek) however at the con on a mac osx laptop with (i think firefox, could have had safari open) it was not at all noticeable, unless you would copy and paste the URL into a term.
HAHAHAHA! Look at that -- your open standards and peer reviewed code is no match for our closed source, proprietary, slow bug fixing, embracing and extending, spyware enabling crapfeast!
Here you go. This is Linux-centric but a similar method should work in Windows, just use PKZip or WinZip or whatever:
.xpi file.
.size1 set to 9 pt, .size2 set to 12 pt, and .size3 set to 14 pt.
p i" and press Enter or click "Go".
1. Download the xpi to your hard drive rather than install it (right click on the "install" link and save). Put it in a temp directory.
2. Open a shell window and cd to the temp directory where you stored the xpi.
3. Unzip the xpi, then delete the
4. cd into the directory it created, called "chrome".
5. Unzip spoofstick.jar, then delete spoofstick.jar.
6. cd into the directory that unzip made, called "content".
7. Edit spoofstick.css as needed with your favorite text editor. Perhaps something like
8. cd back one dir and type "zip -r spoofstick.jar".
9. Delete the "content" directory and its contents.
10. cd back one dir and type "zip -r $HOME/Desktop/spoofstick.xpi *"
11. Fire up Firefox and remove the old spoofstick installation, then restart the browser.
12. In the URL window, type "file:///home/[yourusername]/Desktop/spoofstick.x
13. After it installs, restart Firefox and spoofstick will be there at your new point sizes, and you can click "Options" to set color, etc.
14. Viola! You're done.
Its a good trick, but it isnt perfect. Char #1072 looks almost like a lower-case 'a', but it does not match. Example
Granted, this may only be with the particular font that Im using, but Id be willing to bet its like that in most fonts.
LiveHeaders on FF correctly reports that the HOST is not paypal.com
Looks like I'll have to use that to double check now. Still safer that IE.
I am also using Firefox under Linux and when I go to either link there is a big wide dice like thing thing in the URL replacing the "a" in Paypal.com. It does not look even vaguely like a normaly paypal.com URL. The big dice like thing in the URL is twice as wide and twice as tall as any normal character. I did not need to look close to see it.
I sometimes see those same oversize "dice" like things when I am using Google under Firefox and some of the results have URLs with those non-ASCII foreign characters that do not display properly. Each of those characters always gets replaced by the oversize dice like thing. I am using Firfox 1.0 and installed it from a Slackware package for Slackware 10.0 Linux. Is it possible that when that package was compiled they only included support for ordinary ASCII characters? Or perhaps when I installed Slackware I might have somehow not choosen to include support for foreign alphabets.
Was it just me who pasted that link to check for dodgy characters?h p?application=firefox&version=1.0&os=Windows&categ ory=Privacy%20and%20Security)
(https://update.mozilla.org/extensions/showlist.p
I think my tin foil hat is plotting against me.
I am curious, though, how the certificate authority of the SSL site would respond, and what their liability would be, to the people fleeced by the hypothetical scam.
I appreciate the efforts of the people who discovered and publicized this trick, but I'm standing pat with Mozilla. No way am I using MSIE unless I have to!
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
KDE's Konqueror browser actually gives you a popup warning that the ssl certificate does not match the IP address that it is being issued from, then you have to choose to accept the certificate in order to continue
once more into the breach
The Unicode consortium has a paper on this and a suggested fix:
http://www.unicode.org/reports/tr36/tr36-1.html
The fix is to "process domain names to convert compatibility-equivalent characters into a unique form;". Opera 8 beta already does this.
If you bookmark one of these spoofed sites in Firefox the bookmark carries the false name with it. If a site were to place a bunch of false banksite bookmarks in your bookmark list you would never know.
Chances are the average home user would think that it's great that all these links are already created for them...
14 steps? When most people see that, they'll resort to drink out of despair instead of step 1. Then, even if they need a 12 step program to recover, they've saved a step over your method.
You all said firefox was secure.
A user clicks on an innocent looking link thinking they will get the lateset and greatest firefox extension. If the link *appears* to go to the place they believe then they might just do that instead of typing the url...
I appologize for being unclear. I was not suggesting that firefox could do this through the update mechanism.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
When I write www.paypal.com in my address bar in Opera 7.54, I am redirected to what appears to be https://www.paypal.com.
But what I find strange, is that the in the email address field, the address Im@an.idiot.com is already filled in. This does not happen in IE. What's up with that? Anybody else get the same result?
Generally, these are tools (run as a regular user) to gain root access by exploiting things on the local box that are not accessible via the network. Espicially programs running with the suid bit (cron anyone?)
If you run linux you will normally see many frequent security patches to protect *local* programs from just such exploits.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
http://shit.slashdot.org/article.pl?sid=05/02/07/1 323206
You can just change network.allowIDN -> false in all.js and restart your browser for a lasting effect...
Support of IDN is important. Whatever it is IE's lacking of IDN as default is a real flaw. I for example, really want to use my own language's characters in domain names. I can blame IE for lagging this adoption. Thanks FX and Opera to have support for IDN by default and trying to change the Internet from being US centric.
Worked for me! It wasn't that hard.
The state of homograph attacks
I. Background
International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.
Remember kids, only modern browsers are impacted.
On that note, I'll go back to what I was doing with my care-free surfing on Windows for Workgroups 3.11. :)
Is there an option in Firefox to simply disable IDN?
Don't you just love it how because this is Firefox/Mozilla you guys look for anything to defend your mighty browsers... 'Look! A three pixel difference... everyone can see that... look, look!'
However if it were IE "Stupid Microsoft, crappy software, get firefox you morons."
There is no point sticking your head in the sand when these come up and pretending that there aren't holes in Firefox/Mozilla/Linux/OSX etc. etc. There are, of course there are...
And am I a Microsoft zealot? No... I'm typing this in my favourite browser Firefox...
The problem seem to come from the ability to make domain names have one or two charecters from a different language set.
For example (from an example I saw in a post here):
www.p using the enligsh alphabet
a using a different set that looks similar
ypal.com using the original charecter set
Why not require that the URLS must be of all one set or another? Someone may not notice the A isn't quite the same, but if the whole URL were also in the seperate set it would be a lot easier to notice. If one char is a different set, the entire string should be using that set. Any reason why it shouldnt be "all or nothing"?
Also if this is considered a browser exploit then using should also be listed as a browser exploit.
I have often discussed with my students in classes (mostly Gov. network admins) that while getting away from Microsoft software in many cases is going to greatly decrease your security risks, it won't actually eliminate it. What the Mozilla group can do now to show corporate folks the strength of opensource, is to quickly produce a patch for the problem. That will be telling to those who have been waiting for extended periods of time with unpatchable holes in IE / Windows.
Umm is this transformatatively any different than this?
I use lynx for about 75% of my browsing since I mainly go online to read text (instead of looking at all the pretty pictures and ads).
I also use Firefox 1.0 with Slackware 10.0 and get an abnormal looking URL. It has a large dice like character where the "a" should be in Paypal.com. The large square dice like character is twice as large and tall as any other character in the URL. It looks like this:
"
"https://www.p[LargeDiceLikeCharacter]ypal.com/
I am using the 2.4.26 version of the kernel in Slackware 10.0. I also get large dice like characters whenever I accidently go to foreign webpages which have non-ASCII characters in them.
I also occasionally get spam with dice like characters in the URL or the main text of the message.
Funny you should mention that! One of their people is speaking at RSA.. Oh look and on stopping phishing!
Security for Real People
Phillip Hallam-Baker
"Security must be end-to-end." "A system is only as secure as its weakest link." "Bad security is worse than no security." Many Internet security experts repeat this sage advice. Unfortunately, none of it is true. This presentation will examine and expose the fashionable nonsense that is the real cause of Internet insecurity.
Anyone want to pay $1895 to go ask awkward questions??
I'm stuck on a win2k box at work but i think i've found an immediate workaround on at least windoze platforms, may work for others...
I brought up the display properties by right clicking on the desktop. selected the appearance tab and selected the 'message box' and changed the font to Fixedsys, applied and now when i mouse over to the url, the url on the status bar clearly shows that the a looks different. this is on a 1kx768 display on an 18" lcd.
now if i can only find a font that doesn't scream at me i'll be happy until there's a proper fix. will try and test this on linux and solaris when i get a chance.
I guess other troublesome cyrillic characters include U+0435 ("es", looks like small e), U+043e (looks like small o), U+0440 ("er", looks like small p, derived from greek letter "rho"), U+0441 ("es", looks like small c), U+0443 ("u", looks like small y), U+0445 ("ha", looks like small x), U+0455 ("dze", looks like small s).
Other spoofing candidates are from the latin extended region, for example U+0131 (dotless i) and some characters with accents that are rendered too small to see clearly on screen, for example, double grave or inverted breve.
The IPA extensions also provide some candidates: U+0251 (an alternative latin a without the top hook); U+0261 (alternative latin small g).
Okay, I get tired of enumerating the possibilities. Rather than trying to be a karma whore, I just want to point out for the last thing that vast majority of Chinese unicode has already suffered this problem. When unicode produced unified CJK characters, they admitted some variants of ideograph that only have minor difference (perhaps some are in the main unified section and some in the compatibility section). It's impossible to tell the difference in small point sizes. The reason why those characters have so many variants in the first place is because they're both structurally complex and frequently used. Also, there is a separate section for CJK radicals. Some radicals are valid ideographs, appearing twice in unicode.
I once had a signature.
How does this affect Jabber, which also uses IDN?
Note that this was discussed three years ago on the IDN mailing list.
Regardless of languages that have IMEs for them that happen to be compatible with a plain latin keyboard, there are still thousands of characters in Unicode that are hard to use.
And I'm not talking about some rare ideographic script used by the lip-stretching tribes of the Amazon. I'm talking about mathematics, currencies, phonetics, arrows, line/box drawing, dingbats, etc.
People aren't using these characters because they're nearly impossible to enter practically. And in fact, the dead keys on western european keyboards are limited to the combinations found in Latin1. So while I can enter 'â' with '^a', I can't do it with a 'y', even though this character exists (U+0177).
There is a need for better input methods, beyond 'smart quotes' or replacing hyphens with em/en-dashes based on context. I wrote my own program so I could type a friend's name properly with an 's' in it. Typing it with a plain 's' wasn't the end of the world, but it's not ideal either. In the majority of western languages, accents are not considered to alter the base letter, but are considered to form an entirely new letter. Imagine reading an english text where one of the vowels has been replaced by another.
hm that's really a nice one. It just works exactly as it should, but the way it works itself is a bad thing... :)
I can't even think of a workaround that will help everywhere. Even adding a note that this domain is a IDN one won't help because, hey, it's just a matter of time until there's some company that uses strange characters on purpose (especially here in germany...). And they will be open to the same exploit...
DOES NOT WORK! Deception Central - saying it protects when it doesn't!. Though you should write an extension that takes care of the restart problem.
This one DID require me to restart the browser.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
I have to pat Shmoo Group on the back for this one. Most people don't realize that IE isn't really that bad. Also a lot of people think Firefox is god, but they don't know why Thank you again guys for all your work
Am I the only one that wants to domain squat all of the obvious permutations of this to prevent fraud? Hopefully the pace of the phishing world stays slower than Firefox patches. I am unfamiliar with IDN but made up this domain in about 2 seconds after doing a view source of the schmoo page. So any uncreative simp could use any citybank, bankofamerica...any url with bank and thus an opening for the "magic" a. Not to mention what someone who knows whats up with IDN could do.
Phishing ebay Seriously how long before this is either a vailid phishing link or an educational page about clicking dumb spam mails?
I see that slashdot's URL parser has messed up my example, saving the day like an IE incompatibility error? If you view source, put the link in an HTML file locally replacing the eb/ with eb&
It's not a valid site as of 11:50PM CST 2/7/2005 but you get the idea.
I just tried the page, http://www.p/?ypal.com/ is what I got as a link. I felt left out so I tried firefox, and it got fooled. I just keep getting left out when it comes to security exploits on my mac.
Loser. IE gets bashed, MS gets bashed, BillG gets bashed and you'll get bashed for not getting over that fact.
The cranky old guy down the street will give up after step 0.5, get a virus on his computer, declare that computers suck, won't care that his computer is now a zombie in danger of infecting other's computers, and will either keep using his infected computer or throw it out. If it is not easy to use for the average guy on the street (or in the office), they either won't do it or won't use it. People on Slashdot will go way beyond what the average cranky guy down the street will do because we happen to like fiddling around with computers, and they just want to use them.
-- I ignore anonymous replies to my comments and postings.
In Konqueror, the URL can be spoofed, however, when I try to use the SSL paypal.com, a warning pops up that the certificate does not match (The IP address of the host www.paypal.com does not match the certificate it was issued too).
:P
:)
At least Konqueror gives me a warning, Firefox doesn't care
An error occurred while loading https://www.pypal.com/:
Could not connect to host www.pypal.com.
Yay for Konqueror!!!!!
...show the characters not in your national character set as a different foreground/background color combination. Something even the colorblind could make out, like invert colors or invert-and-shift-a-bit or something.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
I've posted an advisory/fix for this vulnerability on:5 .002. txt
http://www.scovettalabs.com/advisory/SCL-200
You can add a bit of code to the "autoconfig" script that will filter out the bad characters (actually, they'll only allow good characters).
I'm using this workaround myself, and it's pretty fast, almost un-noticeable, and should work for any sites that attempt to exploit this.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
I'm sure someone else has already posted this link - IDN Spoofing Workaround
x },@mozilla.org/network/idn-service;1,,nsIDNService ,rel:libnecko.so
Workaround: This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (Common profile locations).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshe
Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
On Windows:
d at
Close Mozilla...
edit C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles\default.q0hcompreg.
replace all instances of idn-service;1 with idn-service;0
Set compreg.dat to Read Only
Open Mozilla
fixed.
This
A potential fix (or at least partial fix) for any browser that supports IDNs could be as follows:
When a user browses a bookmarked or frequently visited domain a 'star' (or some other simple symbol) appears at the end of the URL (or next to where the SSL Padlock icon appears in the browser). The user could now easily identify that they are indeed browsing on one of their favoured websites. The browser itself is able to know this because it can grab a list of domains from the users bookmarks and look in the users history to see frequently accessed domains, for example sites accessed on more that 10 separate occasions (this figure could be set to something more suitable, it is just an initial guess at a good figure).
If you are a Paypal user for example you are likely to have Paypal bookmarked or at the very least you will probably visit it regularly. If some website or email links to a fake Paypal then when the site loads the star will be missing from the address bar field since it will be the first time you have used this fake site. Hence it is easy for the user to see something is wrong. Hopefully users would get used to the idea that their favourite sites always display a star in the address bar, so this would start to become obvious.
Maybe it would require educating the users about what the star is and why it appears there but this had to be done when the SSL padlock was first added to the browser. I reckon people would pick this up in no time.
I have suggested this on the Opera forums (I'm an Opera user). I may also suggest it on some of the Mozilla forums. Even if Firefox/Mozilla did not make it default perhaps someone could create a plugin (which is currently beyond me).
I have had some criticisms of the idea. For example someone pointed out that the first time you visit a new safe website no star would be present. Also, not all people use bookmarks extensively. My response has generally been along these lines:
When you first visit a site you don't know if you can trust the site anyway. I'm usually cautious of new sites the first few times. I am that little bit more nervous about giving them personal data or credit card information hence I check the site out more carefully. I bet most people are the same. Furthermore after you have come back and used that site a few times and hence presumably are happy with it, it would move to one of your most frequently visited sites (or you might even bookmark it). After this point a star would display.
Regarding bookmarks, it is true that many people don't use bookmarks and in the age of Google you might even say why bother but many people do and if people knew that by bookmarking a site they could later verify it was the same site they had been to previously they may be willing to start bookmarking again, even if only for financial sites. Instead of bookmarking (or even in addition to bookmarking) you might also have the option of clicking on a button to say, "remember this as a known domain name", form that point on it would also show a star.
Another thought was that "you'd have to be careful as to what you count as hits to prevent sites from tricking the user into a couple of hits to their website, or some javascript to loop pages". I'm thinking of sites being automatically added only after a user has visited them on 10 separate days.
It does not solve all issues but it makes it a damn sight easier to pick out when you are on a fake version of one of your favourite sites, which is the main issue as far as I can tell. Also, it requires little user effort (worst case, you do the one time action of bookmarking the sites you are worried might be spoofed).
Finally an extra advantage of this method is that it helps prevent other types of spoofing, for example when fraudsters substitute ASCII characters (e.g. '0' for 'o').
Anyway if you think it is a good idea feel free to spread it around as a suggestion to anyone who you think might be influential in development of any of the popular browsers. Or anyone good at writing plugins!
If anyone is interested, this browser vulnerability does not work against OmniWeb, the third party browser for OS X. While it does display the spoofed URL in the PayPal example, it reveals the true server name in the title bar. OmniWeb also displays the true server name in the new "TSG" examples posted by the author.