Slashdot Mirror
Shmoo Group Finds Exploit For non-IE Browsers
shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.
How am I supposed to fit a pithy, relevant quote into 120 characters?
I'm surprised to hear that Microsoft's refusal to adopt international standards in their browser actually thwarts a potential phishing attack rather than aiding it. If the problem can't be fixed in the browsers, maybe email clients and websites can find some way of decoding, detecting, and disabling such links. Are phishers going to bother trying to use this exploit if it works on less than 10% of their potential victims?
You are in error. No-one is screaming. Thank you for your cooperation.
Serves those Internet Explorer users right! They should immediately switch to ... uh, wait. Nevermind.
I'm a big tall mofo.
This isn't per-se a browser fault, it is more of a flaw in the IDN system.
Atleast, we can bash FF instead of IE now.
Damnit... now I'm switching back.
This would actually appear to be a flaw in the Punycode standard rather than the browsers themselves, given that all IDN (internationalized domain name) aware browsers similarly fail.
Looks like someone may have to fix Punycode. Then we can update the browsers. In the mean time perhaps Opera, Firefox, etc. can given some kind of visual notification when Punycode is used, in the same way the URL turns yellow when a secure URL is entered in Firefox.
If you "View Source" for some weird reason the real address shows up in the title bar.
I have a theory that the truth is never told during the nine-to-five hours. - Hunter S. Thompson
I was personally there. The demonstration of the IDN spoofing at shmoocon was hands down very disturbing. This will open new possibilities for fraud and phishers unless something is done about it. I suggest browsers point out when mixed-language characters are used in URL's this may help mitigate this severe issue.
-caes
This is a good reason why we should just force all nations in the world to adopt a single language, English.
Erm of course... if I was French, I would just sed 's/English/French/' that last sentence and you wouldn't set me -1 Flaimbait.
I can remember discussions about it years ago. I'd bet there may even be a /. article about it, although its not really worth searching to see.
This was a big part of the critisism around supporting larger character sets in domain names.
in an entry in Michael Kaplan's blog last month. That in turn mentions this entry which talks about spoofing filenames using a similar method.
In the future, all spacecraft will be made of cheese.
From the text:
.. eventually.
VI. Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be making any changes.
Mozilla: Working on finding a good long-term solution; provided clear workaround for disabling IDN.
So, Opera won't fix it? They have a proof of concept, and Opera believe their implementation is correct? Maybe, but they still need to provide an update, and something tells me they will
Ok, it doesn't work in IE... so when the patch will be released? I mean... it is IE, the exploits HAVE to work. Microsoft should be worried, they are not doing their job properly.
Seriously, it's been known for years that adding international character sets was going to cause the problem of multiple identical (or almost identical) characters.
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
Combination - fun iPhone puzzling
Except when implemented in their own country code namespace of course.
There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.
Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.
The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
IE wasn't relevant to this article, yet you found a way to wedge it in and smear it regardless.
The browsers the exploit WAS found for weren't even mentioned by name, yet IE was.
How is this anything except nasty propaganda?
The 'fix' they mention (setting network.enableIDN to false via about:config) only works until you restart the browser - when you reopen the browser, things are back to the same even though the setting is still false..
Since I haven't got any half-decent Cyrillic fonts installed, the "homographs" don't look remotely the same on this machine.
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.
Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)
One man's -1 Flamebait is another man's +5 Funny.
This is defeated as well. Normally, you see the real domain name in Spoofstick under Firefox on Windows. As another poster stated, you do indeed briefly see the real URL in the status bar.
The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
IE is safer because it doesn't support a feature? Don't worry, I'm sure the plug-in will be installed with the next security update!
Taking guns away from the 99% gives the 1% 100% of the power.
Hmm.. hiding exploits so that you can take your sweet time getting the fixes done? Do you work for Microsoft?
"Propaganda" being anything someone says that you do not like. Mentioning IE is quite relevant. My first thought on reading such a thing is its status in regards to MSIE. Also, in case you have not heard before, MSIE has a reputation for being subject to such exploits in the past.
Don't blame Durga. I voted for Centauri.
I've confirmed that konqueror is vulnerable. Anyone know how to disable this in konqueror?
If you had super powers, would you use them for good, or for awesome?
I thought this was a well-known attack -- using Unicode characters that look like latin but aren't. As more and more web sites start accepting unicode in user names without policing, I think we'll find more interesting applications for this type of attack.
This is not that different from "spoofing" using this address:
http://www.paypaI.com I.e. replacing the lower-case L with an upper-case i. (except that paypai.com appens to be taken already, by an annoying site that maximizes the browser window no less.)
Security through inutility
Links is unaffected - it goes to the real paypal site.
-------
Warning: Slashdot may contain traces of nuts.
Here in Mozilla there's a little diference on the "ay" of "paypal". It's so hard to a user see on the browser windows that I'm scared of IE not exploitable this time, maybe it's the time of IE developers celebrate one victory.
http://www.michel.eti.br
Don't you think that "Shmoo Group Finds Exploit in IDN domain names" would have been more informative?
Alas, "Shmoo Group Finds Exploit For non-IE Browsers" is more likely to catch people's attention.
What a world!
The following sentence is true. The preceding sentence was false.
If i copy /paste the link into notepad it just looks right And if i copuy /past it back to firefox i get the "spoofed" page back again.
next:
Trolls can have a couple of days fun on slashdot.
And verisign van sell a lot of domains to phishers. (profit!)
This can apply to any time anyone says anything. However, in practice, the word "propaganda" is only used when someone does not like being said. It is similar to "rhetoric" in this regard.
Don't blame Durga. I voted for Centauri.
in Mozilla for Mac OS9 i get p?ypal.com , pretty obvious to me. Not that I don't want to use something newer then Mozilla 1.21, just that MacOS is no longer supported. (OSX is though)
"Enjoy what you're doing! If it becomes drudgery, you're doing it wrong!" - Jim Butterfield
So, are people grateful that Unicode's Unified CJK has prevented thousands of similar phishing possibilities? Guess.
echo 33676832766569823265328479713269.8639857989Pq | dc
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
I think you're on the right track here.
Perhaps the best approach is to use a different font/different color for particular ranges of characters, or characters outside of one's locale setting, so e.g. if my local is Germany, and cyrillic or french accent-grave or what have you characters are loaded, then display that character in bold, or in red, or what have you. Also, tint the background of the URL pink or something, so if the offending character is scrolled off the end of the URL field, the user still gets a visual clue that something is wrong.
I'm sure there are other possibilities, like putting a little warning at the top whenever characters are in the URL that are strikingly similiar to characters in the default local OR standard ASCII, specifying what the character is and perhaps stating something like "http://spo0furl.com IS NOT THE SAME as http://spoofurl.com".
The Future of Human Evolution: Autonomy
Comments like this worry me. We really have to be careful about letting our guard down just because Firefox is more secure. The whole point of the article is that the exploits DO exist.
/. community) love to talk about how Firefox's market share is growing quickly but then minimize potential problems. So how is this problem 'less dangerous than some IE exploits'?
On one hand, we (the
Don't get me wrong, I'm all about Firefox, but we can't get lazy.
It is certainly relevant to mention the browser that is used the overwhelming majority of the time if you are talking about browsers, even if it is just to mention that it is not affected.
Don't blame Durga. I voted for Centauri.
This brings up the amusing problem of character recognition by human and non-human intelligences. Douglas Hofstadter discusses this issue in on seeing A's and seeing As.
In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.
Two wrongs don't make a right, but three lefts do.
Actually, they didn't find anything. They demonstrated how the IDN character support could be used to trick users. A virtually identical demonstration can be found in the original paper/advisory. Thanks for the FUD, slashdot editors.
Furthermore, whether this is actually an exploit or not remains a subject of debate, as is evident from Opera's response ("It's implemented properly"). Fact remains that people can be fooled, though.
Trying the SSL link with Konqueror, it popped up an invalid certificate dialog box, which is at least some warning that all is not well.
They're what I get in my basement when the sump pump fails.
The higher the technology, the sharper that two-edged sword.
With phishing on the rise, this is a major problem. Let's hope Apple and the others can address it quickly. When you combine this problem with the ability for imposter emails to have a link that looks like an address to, for example, paypal, but that really goes to another site, the potential for phishing scams is substantial. Indeed that Mail.app (and other non-text-only mail programs, not just Apple's nor just Mac OS X) flaw ought to be recorded somewhere as a security flaw so it would be addressed. Recently I've received two fairly realistic bogus emails that purported to be from ebay and had fake URLs that led to an obviously-not-an-ebay-URL site (once you got there), but if they had taken advantage of this IDN flaw too, they could much more easily trick people into thinking it was legit.
It seems to me that the Mail.app flaw could easily be addressed by having a check to make sure that any link with anything that looks like a URL in the text of message matches with the actual link, and if it doesn't, putting up a warning when you click on it, displaying the actual URL and asking for verification that you want to visit it, noting that it may be a scam.
--- What?
What does it take to be "systematic"? Perhaps just by saying something twice. I am glossing over nothing. Time and time again, the term "propaganda" is used to mean nothing more than something someone says that someone does not like, and perhaps would see censored.
I recently was in a long discussion in which my opponent demanded that the government censor media outlets that express what he termed to be "propaganda". He only reserved this term for arguments and opinions that he did not like. Arguments that are identical in factuality, tone, and other aspects, but were different in political content he called "reasoned arguments.".
Don't blame Durga. I voted for Centauri.
Hemos, please change it now before the wrong impression is given. If IE were to have implemented this, they surely would be vulnerable too.
It's merely a "trick".
Anyone should know better than to base their trust on being on a particular, secure web page only on the address shown in the address bar! Everyone should know that they shouldn't access secure web pages from external links.
If you write "Pope" on your forehead, do you think people will believe you're the pope? An by the way, funny that for once, the lack of a functionality actually "saves" IE, for one of the biggest security concern is ActiveX...
This will probably lose me major karma for going against groupthink, but the statement that "The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable." does seem ridiculously biased.
While it may be technically true, it's like suggesting Firefox is susceptible to IE's infamous ActiveX vulnerabilities, just because there's an ActiveX plugin for Firefox too. Everyone is quick to jump on MS when there's new IE exploits, but we've got to accept that this seems to be one they got right. Making excuses about plugins doesn't really change that.
And, as usual, Slashdot puts a negative spin on a piece that would otherwise put Microsoft in a positive light. Come on guys, I could say that FireFox was vulnerable to VBScript security holes if someone wrote a VBScript addon for it.
It's intentional that there are multiple glyphs that look the same, but represent different characters in Unicode. (for sorting order, spell checking, etc.)
... the different sets assigned to each language or function).
So you just need to work off of that strength, and flag when someone's mixed any two groups of characters. (I'm not sure what the official Unicode name is for them
Anyway, you start with the assumption that a domain name is going to contain only characters from one of those groups, and you report if it's otherwise. Now, there are still problems with people not looking closely, and confusing 'resume.com' with 'résumé.com' or something similar, but you'll fix the problems with identical glyphs.
The important thing to do is to not assume that ASCII is the only 'good' form, as that would make it rather english-centric (I'm not sure what other languages can map all of their characters into ASCII)
Build it, and they will come^Hplain.
Here in Scandinavia, the letters Å,Æ,Ø, are actually quite new. It is acceptable to spell them as AA, AE and OE respectively on non-scandinavian keyboards. With IDN adresses now becomming available, you constantly have to remember which spelling is used on which website. It would be a hell of a lot more practical if only the 26 alphabeth was used and software would automatically expand ingeniøren.dk to ingenioeren.dk. This way you could use whatever you want. And websites will not be too happy about using special characters, because it makes them almost impossible to reach on non-scandinavian computers.
10 ?"Hello World" life was simple then
every time a URI contains more than one writing system: if you've got the same URI with both Cyrillic and Latin in the domain name, pop up a question mark, and even add in (maybe by default?) a pref to disable opening URIs with multiple writing systems in the domain name.
I, honestly, fail to understand how this is a "bug" -- domain name may look like it is valid, having characters embedded in it that are from a different code page. I believe there was a story a year or more ago about spoofing of microsoft.com with first 'c' actually being Russian letter 's' that looks like latin 'c'.
Quite frankly, I always thought that IDNs is a Bad Idea: it will create more ambiguity and benefits (domain names in your own language!) are very much questionable... Do tell me how am I going to have to type in a Chinese or Japanese domain name if I don't have keyboard layout (not to mention that I amy not even know *how* to input all these gliphs...).
--AP
This is why we should just stick with IBM's 8 bit extended ASCII characters.
Who needs Cyrillic when you have all those lines and stuff? And the cent symbol?
Quidquid latine dictum sit, altum sonatur.
People who routinely hit sites outside of their "local setting" will get used to www.paypal.com showing up in red.
Perhaps:
The url has a pink background if the url is 100% characters outside of your locale.
The url has a right RED background if the url is composed of characters from multiple sets.
Also, put a bright red, flashing fish icon (or the phrase "possible phishing site") in the upper left (by the magic circle of dots) or somewhere on the bottom bar when a site uses questionable links (as in your spo0furl.com example).
Spoofstick is a useful tool, too. I don't know if it protects against this particular attack, but it's good for the casual browser (i.e., mom/aunt gert/the cranky old guy down the street who always asks for computer help) to help protect against phishing.
Browsers should display non-ASCII characters
in URLs / statusbar in a different colour, bold,
flashing or some other distinctive way. eg.
They could display p<font color="red">a</font>ypal.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity?
I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.
Can't that intelegence be put to good use and make software that competes with the big guys? I know you are smart, esp if you can crack that stuff. I can't, and I'm considered smart by my peers.
Please fill me in on this.
Thanks
i.e.
Doesn't work so well now, does it?
This fact (IMHO) is more dangerous than not being able to make the setting at all. At least with Safari (et al) I know that I always have to be vigilant, instead of being lulled into a false sense of security.
Clearly, Firefox has a major BUG in it. Fortunately, they seem to be pretty quick to fix these sort of things.
"terrorism" and "pedophilia" are the root passwords to the Constitution
Unicode character 0x0456 is a Cyrillic character which usually uses the same glyph as the latin lowercase I. That would be a much better substitution than the inverted exclamation mark:
<a href="http://www.mіcrosoft.com/">Microsoft!< /a>
don't need the source. They edit the binary with a hex-editor.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
That's because they use HTML entities to disguise the characters. If they were really smart, they'd have used a unicode encoding like UTF-8 and used plain characters all the way. Then even the source would look normal. The whole script collision thing has been known for a long time. The only way to fix it is to restrict the sets of characters that can be used to register internationalized domain names. E.g. restrict them to characters from one script only.
lol, "people"?, most of us are still trying to find a browser that *understands* (read supports) HTML properly.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Because only color-blind users should be the victims of phishing scams.
And because grandma is sure to notice that one letter, in a part of the screen she doesn't usually look at, is a different color. Just tell her to check every letter of every URL she goes to.
Not that I've got a lot of better solutions. I can imagine a patch that pops up a warning for suspicious-looking URLs, but dialog boxes are lousy security.
I can definitely see elimininating IDN, but that's hardly fair to the 95% of the users in the world who aren't American.
Still, in general I should caution you about using color as an important indicator in your software design. The world is full of color-blind (and blind) users who deserve your consideration. Not only will it help them out, it'll help out your normally-sighted users who will appreciate stronger cues than color.
I'm planning on taking an airplane flight in 7 years, and am already taking classes on aeronautics, history of flight, airplane engineering, and am enrolled in the technical school for airplane building and maintenancy.^H^H
.5 ohm resistor, with a diode overlay. I'll do that as soon as I'm done casting the waterpump for my car.
Uh-oh, looks like my "delete" key stopped working again. Must need another
If you don't know what AltaVista is (was), get off my lawn.
>The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
Well, if we're going to disregard them on those grounds, we might as well disregard ActiveX exploits too (since FireFox doesn't support it). An exploit is an exploit. Don't play the game of justification.
p.s. I use Firefox.
Although not a Linux, Windows, or Mac vulnerability, it could become one.
If the site spoofed were a trusted site for firefox extensions they could get some code to execute on the box. They could package a root kit and take control of a Linux or Mac, or the Buffer overflow du jour to take control of a Windows machine. Granted the Linux would be the most difficult due the the large variation of distros (and each distro differs on opinion where file belong), compiler options, etc.
For a truly secure OS, you should remove all applications and just run the OS in its pure state.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Has anyone checked to see if this exploit is possible in the recent 1.0.1 builds? Presumably they contain security fixes... perhaps for this issue among whatever others exist.
This seems to be more of a bug in Unicode than in the browsers. Unicode has defined multiple character codes as having the exact same glyph. I thought we'd already run into this in Unicode with multiple long representations of the same character, decided it was a bad thing and corrected it by making any representation longer than the shortest illegal. Shouldn't we do the same thing here, and simply make it illegal to have multiple character codes appearing as the same glyph?
Can anyone please tell me why people "hack" or "phish" or anything that is used for malicious activity? I'm not trying to start an argument, I seriously want to know why some people spend so much time trying to make others lives miserable.
Money.
Think for a minute why it would be beneficial to the bad guys to have people logging into their site with valid PayPal usernames and passwords.
I don't think the average person types in URLs that much, especially not to sites they don't know or visit often. You just Google it.
However on the subject of typing: the real problem is that typing foreign characters is insanely hard in every OS out there. If you have a US keyboard, you're out of luck completely. Luckily my keyboard has 'dead' keys which allows me to put several types of accents on various letters, but it still doesn't help me with e.g. an Å.
Typically all you have is some dumb character map which you have to hunt through, and which is buried somewhere deep. That's why I wrote an IME-like app which pops up a small in-place dynamic character map with a keystroke. It allows you to select characters based on a 'base' character. See http://www.acko.net/blog/sprankle. Sure it's Windows-only and it doesn't work on apps that do weirdo stuff with keyboard input, but I blame the Win32 API. It's GPL'd though, so you are free to port it to one of the 'superior' OSes that Slashdot likes.
hitting the page with netcat shows the rather obvious buggering of the URL.
;)
GUI's are for Mac users
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Hey Sherlock - what do you suppose was the purpose of my message? Was it to report the flaw in Safari? Or was it to report the flaw in Mail.app and many other mail programs on many platforms, that in concert with the Safari/Firefox/Opera flaw makes for a heady brew, and to note one possible, and easy, fix for it? No such flaw is noted on secunia.com, in fact there is no Mail.app listing on that site at all. Perhaps it is noted elsewhere, but I haven't been able to find it. Nor do I see it mentioned in the /. article, but maybe I'm just not enough of a Sherlock to find it there?
--- What?
Unicode range U+2500 - U+257F, box drawing:. pdf
http://www.unicode.org/charts/PDF/U2500
Enjoy.
Lol, no.
Dashboard Widgets
...but I have long suspected that there was a simple hack, I read about different url encoding support, and realised that a 'a' charcter can be a multitude of actual encodings, and this would allow you to register a name with the similar lexical morphology.
I thought even using small accented characters (paypal with ^ on the a's) but this obviously uses a's designed to carry an accent, but doesn't secify an accent.
There are probably hundreds more ways you can register a site that is 100% different to a computer, but 100% the same to a human.
tsk
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
We could just only show the character codes.
;)
It wasn't that long ago that ALL computer users had to (defacto) memorize the ascii character set, and be able to read it in hex or decimal. Stepping up from 7 bits to 16 (Unicode) or 24 (UTF-8 encoding of unicode) should be a big deal. Its just a few orders of magnitude. Of course, users of the latin character sets will have it easy
----- If communism is a system where the government owns business, what do you call a system where business owns govern
There is already a fix for this IDN problem in the unicode spec, if people would just use it:
Before resolving, all domain names should be normalized according to normalization form KC. (see http://www.unicode.org/unicode/reports/tr15/) Once that's done, anything that looks like an "a" really will be an "a", and not something that looks identical in Cyrillic.
That simple (SIMPLE!) step would avoid this problem, almost completely. There'd still be an issue with people using "paypál" instead of "paypal", but at least then the user has some vague chance of seeing the difference in the URL in the browser window.
It would also be good if responsible registrars refused to accept domain registrations for domains not normalized according to NFKC, but asking companies to refuse business simply because someone else would get hurt is probably not going to be effective.
IE is not affected. Also, Netscape Navigator and Mosaic are not affected.
i dont understand why
== http://www.xn--pypal-4ve.com
can someone explain.. thanks
Doesn't seem to work with mine. It says www.paypal.com but the ssl one also says www.paypal.com which is actually incorrect.
AHA! This finally proves that internet explorer is a HUGE security risk and should not... erm.. oh darn!
A bad analogy is like a leaky screwdriver.
I'd be very wary about putting in a flashing fish icon. Mostly because phishermen would be able to test their urls to find out if they've managed to make one that doesn't match the phishing profile.
Then users would think "well the fish didn't flash so i'll be safe".
I have windows 2000 with unicode support enabled. And guess what? The attack also fools IE.
Using Firefox 1.0 on XP, if I do "view source" it shows the correct header: "Source of: http://xn--pypal-4v3.com/"
But who does that on every page? Easier to disable IDN.
AHHHHHHH! I'm burning with goodness again!
- Reakk, Sluggy Freelance
All the browser people have to do is run the domain name through nameprep prior to Punycode-ing it. It's not that hard - it isn't as though there aren't dozens of implementations of Unicode normalization form KC around.
I run all internet requests through DansGuardian and Squid via transparent proxy. DansGuardian caught this as a malformed URL and told me.
While the first link fools Konqueror, the second link (ssl https: connection) makes it freak out, prompting a nice warning box stating that the certificates don't match:
"The IP address of the host www.pypal.com does not match the one the certificate was issued to."
It's quite frightening that firefox (or Opera) doesn't actually sound the alarm after checking the certificates.
Hack your mind out of its sandbox.
Why not just edit spoofstick.css, to change all three font sizes to whatever you want. Change small to 9 point, for instance. Of course, it won't really decrease the size of the extra panel. The makers should put it in the status bar, like the makers of other extensions do.
Who doesn't run their internet through a proxy these days?
While my browser may be vulnerable, the page never makes it past the proxy (squid):
ERROR
The requested URL could not be retrieved
While trying to retrieve the URL: http://www.www.p%D0%B0ypal.com/
The following error was encountered:
* Invalid URL
Some aspect of the requested URL is incorrect. Possible problems:
* Missing or incorrect access protocol (should be `http://'' or similar)
* Missing hostname
* Illegal double-escape in the URL-Path
* Illegal character in hostname; underscores are not allowed
RFC2119
Solution: Goto: http://www.mozilla.org/developer/
(no spoofing in here, just plain text ;) )
At the bottom of the page there's a section called (Nightly Builds), download the file for your OS, and it should work now (don't forget to check the setting again on about:config -> network.enableIDN)
Tried on the Windows release, and worked fine (even after browser restart) ... Good luck !!!
I think what you mean is every modern browser other then IE. Us lynx users are safe!
ReadThe ReflectionEngine, a cyberpunk style n
hack i've ever seen.
not that i've seen that many.
[turns and pisses in the corner]
Why don't you just start typing in your URIs from now on?
Slashdot has covered this problem before.
This sig is umop apisdn.
yyyyyyyyyyyyy
And at least in GNOME, that version is extremely difficult to tell apart form the real one, and on other OS'es with better font rendering, it's identical as it should be.
If there is a bunch of state information in the url copy/paste the url into your address bar, hit "type-over" mode, and re-type the host name and you should be ok.
The designers and implementers of IDNA knew this. I implemented IDNA in ICU and ICU4J. Please see the demo [oss.software.ibm.com]. This demonstrates a way to alert the users of possible spoofing.
no, i don't understand the deep inner workings of my pharmaceuticals... but then, there isn't hordes of cracker bastards incessantly trying to steal my identity through my medicine cabinet!
also, i just wanted to point out that for once IE came out on top for being so far behind...
Don't just talk, donate to Mozilla/Firefox security effort!
I found iCab 2.9.8 and OmniWeb 4.5 appear to be immune to the exploit. It does successfully fool Safari, Firefox and Opera, though.
I don't think this guy knows how.
-- I ignore anonymous replies to my comments and postings.
spoofstick is fooled by this exploit too it seems
Where "sees" means "displays it this way on the status line":
:)
Netscape 3.04 sees http://www.p?ypal.com/ -- looks the same in docsource
OffByOne 3.4a sees http://www.p0ypal.com/ -- looks the same in docsource
K-Meleon 0.9 sees http://www.p?ypal.com/ -- looks like http://www.pypal.com/ in docsource
IE 5.00.2314.1003 (yes, minor builds can make a *big* difference in how IE displays stuff) sees it as http://www.paypal.com/, but the "a" is about half normal size (this is at 1024x768). Docsource as IE feeds it to notepad looks like http://www.pypal.com/
Mozilla 1.5 sees it exactly the same as IE5.00 (above), including docsource
AOLpress (HTML editor with built-in browser) sees it exactly the same as OffByOne (above), including docsource
Netscape 4.50 sees http://www.p?ypal.com/ but displays http://www.pypal.com/ in docsource
Firebird 0.7 sees it exactly the same as Moz 1.5 and IE5.00 (above), including docsource
And Mosaic 0.9 can't figure out WHAT to do with the page and wants to save it to disk.
At this point, I ran out of installed browsers.
~REZ~ #43301. Who'd fake being me anyway?
I hadn't been to the site AT ALL.. applied the workaround, went to the site and it was blocked... then restarted firefox and lo and behold there i was staring at a false paypal.
anyone how how to make it stick?
-- D-23994, Muff#2613
Forgot that /. eats some stuff... the "absent" bit in the "docsource" should be
;
& # 1072
without any spaces.
[hits self with preview button]
~REZ~ #43301. Who'd fake being me anyway?
How are links like this rendered in Slashdot? Oh, from the preview it looks like they just plain break, never mind. Guess Slashcode doesn't implement this feature, either.
... it's an authentication problem
This problem is not a software bug. Sort of disabling the feature, I don't see a way of fixing the problem in the client software. I mean, I don't see a software patch (or even a standards modification) fixing the problem.
What it is, is a problem exacerbated complexity. People speak different langauges around the world, often multiple langauges. That rules out an ASCII-centric solution. Even rewriting the standards wouldn't help; the problem boils down to protecting people from tmemselves, or at least human cognition flaws.
Any solution would have to be a process solution. Specifically, the process determining that you are who you say you are. The current process for doing this is flawed for the average person. Your average person is just going to click through warnings which he or she doesn't understand.
I'm very against the name Schmoo. There's just no way to efficiently respond to them dismissively. For instance:
"Slashdot, Schmashdot."
"Schmoo, Schmoo"
Just doesn't have the same ring to it.
I'm a big tall mofo.
You can use privoxy or any other filtering proxy to fix this for any browser. Unfortunately SSL still goes trough. For privoxy place this pattern in the {+block} section of user.action file: .xn--*.*/
This will block all of the xn-- domains until it fixed in firefox.
Alex
As I see it, it is not a bug. International Domain Names are a standatd sind a while, already. The only problem is that some unicode characters look exactly like some UTF-8 characters and because of that, people can be "cheated".
But who needs IDNs??
In Mozilla/Firefox and maybe also in Thunderbird (if you download the about:config extension) IDNs can be disabled by using the about:config thingie.
Open your Gecko based brwoser and type "about:config" (without the quotes) and hit return. Search for "network.enableIDN" (without the quotes) and set it to "false" (without the quotes).
--
Max
When you go to a secure page Firefox highlights the URL yellow.
When you go to a page with anything but ordinary ASCII characters perhaps it could highlight the URL blue, or red, or something...
455fe10422ca29c4933f95052b792ab2
0. someone should've been paying attention when Verisign- the self-proclaimed "leeders" in Internet security- signed a code-signing certificate for Microsoft.... for someone who wasn't Microsoft.
1. people shouldn't be entering credit card or login information into a page that they clicked on from an email.
2. unicode should've been arranged by glyph similarity instead of by script family.
3. people shouldn't cry about having a domain name "in their script." - domain names are _supposed_ to be easy to type, and easy to remember. IDNs are neither to people foreign to that script, and often, neither to people even USING that script.
4. people should've been less afraid of bookmarks.
This sig donated to Pater. Long live
As noted by several others, this does not work. Spoofstick shows you as being on www.paypal.com and provides no warning of the fake site.
Not amazing, but a way to see what exactly the evil ukrainian(?) 'a' is.. paste the URL into a term or something that doesnt support those char's:
p\u0430ypal.com
Also, checking this out now on firefox on freebsd at home, it is indeed noticible to (me, a geek) however at the con on a mac osx laptop with (i think firefox, could have had safari open) it was not at all noticeable, unless you would copy and paste the URL into a term.
Here you go. This is Linux-centric but a similar method should work in Windows, just use PKZip or WinZip or whatever:
.xpi file.
.size1 set to 9 pt, .size2 set to 12 pt, and .size3 set to 14 pt.
p i" and press Enter or click "Go".
1. Download the xpi to your hard drive rather than install it (right click on the "install" link and save). Put it in a temp directory.
2. Open a shell window and cd to the temp directory where you stored the xpi.
3. Unzip the xpi, then delete the
4. cd into the directory it created, called "chrome".
5. Unzip spoofstick.jar, then delete spoofstick.jar.
6. cd into the directory that unzip made, called "content".
7. Edit spoofstick.css as needed with your favorite text editor. Perhaps something like
8. cd back one dir and type "zip -r spoofstick.jar".
9. Delete the "content" directory and its contents.
10. cd back one dir and type "zip -r $HOME/Desktop/spoofstick.xpi *"
11. Fire up Firefox and remove the old spoofstick installation, then restart the browser.
12. In the URL window, type "file:///home/[yourusername]/Desktop/spoofstick.x
13. After it installs, restart Firefox and spoofstick will be there at your new point sizes, and you can click "Options" to set color, etc.
14. Viola! You're done.
Its a good trick, but it isnt perfect. Char #1072 looks almost like a lower-case 'a', but it does not match. Example
Granted, this may only be with the particular font that Im using, but Id be willing to bet its like that in most fonts.
LiveHeaders on FF correctly reports that the HOST is not paypal.com
Looks like I'll have to use that to double check now. Still safer that IE.
Was it just me who pasted that link to check for dodgy characters?h p?application=firefox&version=1.0&os=Windows&categ ory=Privacy%20and%20Security)
(https://update.mozilla.org/extensions/showlist.p
I think my tin foil hat is plotting against me.
I am curious, though, how the certificate authority of the SSL site would respond, and what their liability would be, to the people fleeced by the hypothetical scam.
I appreciate the efforts of the people who discovered and publicized this trick, but I'm standing pat with Mozilla. No way am I using MSIE unless I have to!
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
KDE's Konqueror browser actually gives you a popup warning that the ssl certificate does not match the IP address that it is being issued from, then you have to choose to accept the certificate in order to continue
once more into the breach
A user clicks on an innocent looking link thinking they will get the lateset and greatest firefox extension. If the link *appears* to go to the place they believe then they might just do that instead of typing the url...
I appologize for being unclear. I was not suggesting that firefox could do this through the update mechanism.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
Generally, these are tools (run as a regular user) to gain root access by exploiting things on the local box that are not accessible via the network. Espicially programs running with the suid bit (cron anyone?)
If you run linux you will normally see many frequent security patches to protect *local* programs from just such exploits.
----- If communism is a system where the government owns business, what do you call a system where business owns govern
You can just change network.allowIDN -> false in all.js and restart your browser for a lasting effect...
Support of IDN is important. Whatever it is IE's lacking of IDN as default is a real flaw. I for example, really want to use my own language's characters in domain names. I can blame IE for lagging this adoption. Thanks FX and Opera to have support for IDN by default and trying to change the Internet from being US centric.
Is there an option in Firefox to simply disable IDN?
Don't you just love it how because this is Firefox/Mozilla you guys look for anything to defend your mighty browsers... 'Look! A three pixel difference... everyone can see that... look, look!'
However if it were IE "Stupid Microsoft, crappy software, get firefox you morons."
There is no point sticking your head in the sand when these come up and pretending that there aren't holes in Firefox/Mozilla/Linux/OSX etc. etc. There are, of course there are...
And am I a Microsoft zealot? No... I'm typing this in my favourite browser Firefox...
The problem seem to come from the ability to make domain names have one or two charecters from a different language set.
For example (from an example I saw in a post here):
www.p using the enligsh alphabet
a using a different set that looks similar
ypal.com using the original charecter set
Why not require that the URLS must be of all one set or another? Someone may not notice the A isn't quite the same, but if the whole URL were also in the seperate set it would be a lot easier to notice. If one char is a different set, the entire string should be using that set. Any reason why it shouldnt be "all or nothing"?
Also if this is considered a browser exploit then using should also be listed as a browser exploit.
I have often discussed with my students in classes (mostly Gov. network admins) that while getting away from Microsoft software in many cases is going to greatly decrease your security risks, it won't actually eliminate it. What the Mozilla group can do now to show corporate folks the strength of opensource, is to quickly produce a patch for the problem. That will be telling to those who have been waiting for extended periods of time with unpatchable holes in IE / Windows.
Umm is this transformatatively any different than this?
I guess other troublesome cyrillic characters include U+0435 ("es", looks like small e), U+043e (looks like small o), U+0440 ("er", looks like small p, derived from greek letter "rho"), U+0441 ("es", looks like small c), U+0443 ("u", looks like small y), U+0445 ("ha", looks like small x), U+0455 ("dze", looks like small s).
Other spoofing candidates are from the latin extended region, for example U+0131 (dotless i) and some characters with accents that are rendered too small to see clearly on screen, for example, double grave or inverted breve.
The IPA extensions also provide some candidates: U+0251 (an alternative latin a without the top hook); U+0261 (alternative latin small g).
Okay, I get tired of enumerating the possibilities. Rather than trying to be a karma whore, I just want to point out for the last thing that vast majority of Chinese unicode has already suffered this problem. When unicode produced unified CJK characters, they admitted some variants of ideograph that only have minor difference (perhaps some are in the main unified section and some in the compatibility section). It's impossible to tell the difference in small point sizes. The reason why those characters have so many variants in the first place is because they're both structurally complex and frequently used. Also, there is a separate section for CJK radicals. Some radicals are valid ideographs, appearing twice in unicode.
I once had a signature.
How does this affect Jabber, which also uses IDN?
Note that this was discussed three years ago on the IDN mailing list.
Regardless of languages that have IMEs for them that happen to be compatible with a plain latin keyboard, there are still thousands of characters in Unicode that are hard to use.
And I'm not talking about some rare ideographic script used by the lip-stretching tribes of the Amazon. I'm talking about mathematics, currencies, phonetics, arrows, line/box drawing, dingbats, etc.
People aren't using these characters because they're nearly impossible to enter practically. And in fact, the dead keys on western european keyboards are limited to the combinations found in Latin1. So while I can enter 'â' with '^a', I can't do it with a 'y', even though this character exists (U+0177).
There is a need for better input methods, beyond 'smart quotes' or replacing hyphens with em/en-dashes based on context. I wrote my own program so I could type a friend's name properly with an 's' in it. Typing it with a plain 's' wasn't the end of the world, but it's not ideal either. In the majority of western languages, accents are not considered to alter the base letter, but are considered to form an entirely new letter. Imagine reading an english text where one of the vowels has been replaced by another.
hm that's really a nice one. It just works exactly as it should, but the way it works itself is a bad thing... :)
I can't even think of a workaround that will help everywhere. Even adding a note that this domain is a IDN one won't help because, hey, it's just a matter of time until there's some company that uses strange characters on purpose (especially here in germany...). And they will be open to the same exploit...
This one DID require me to restart the browser.
A great many people think they are thinking when they are merely rearranging their prejudices. -- William James
I have to pat Shmoo Group on the back for this one. Most people don't realize that IE isn't really that bad. Also a lot of people think Firefox is god, but they don't know why Thank you again guys for all your work
Am I the only one that wants to domain squat all of the obvious permutations of this to prevent fraud? Hopefully the pace of the phishing world stays slower than Firefox patches. I am unfamiliar with IDN but made up this domain in about 2 seconds after doing a view source of the schmoo page. So any uncreative simp could use any citybank, bankofamerica...any url with bank and thus an opening for the "magic" a. Not to mention what someone who knows whats up with IDN could do.
Phishing ebay Seriously how long before this is either a vailid phishing link or an educational page about clicking dumb spam mails?
I see that slashdot's URL parser has messed up my example, saving the day like an IE incompatibility error? If you view source, put the link in an HTML file locally replacing the eb/ with eb&
It's not a valid site as of 11:50PM CST 2/7/2005 but you get the idea.
I just tried the page, http://www.p/?ypal.com/ is what I got as a link. I felt left out so I tried firefox, and it got fooled. I just keep getting left out when it comes to security exploits on my mac.
The cranky old guy down the street will give up after step 0.5, get a virus on his computer, declare that computers suck, won't care that his computer is now a zombie in danger of infecting other's computers, and will either keep using his infected computer or throw it out. If it is not easy to use for the average guy on the street (or in the office), they either won't do it or won't use it. People on Slashdot will go way beyond what the average cranky guy down the street will do because we happen to like fiddling around with computers, and they just want to use them.
-- I ignore anonymous replies to my comments and postings.
In Konqueror, the URL can be spoofed, however, when I try to use the SSL paypal.com, a warning pops up that the certificate does not match (The IP address of the host www.paypal.com does not match the certificate it was issued too).
:P
:)
At least Konqueror gives me a warning, Firefox doesn't care
An error occurred while loading https://www.pypal.com/:
Could not connect to host www.pypal.com.
Yay for Konqueror!!!!!
...show the characters not in your national character set as a different foreground/background color combination. Something even the colorblind could make out, like invert colors or invert-and-shift-a-bit or something.
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
I've posted an advisory/fix for this vulnerability on:5 .002. txt
http://www.scovettalabs.com/advisory/SCL-200
You can add a bit of code to the "autoconfig" script that will filter out the bad characters (actually, they'll only allow good characters).
I'm using this workaround myself, and it's pretty fast, almost un-noticeable, and should work for any sites that attempt to exploit this.
Wer mit Ungeheuern kämpft, mag zusehn, dass er nicht dabei zum Ungeheuer wird. --Nietzsche
I'm sure someone else has already posted this link - IDN Spoofing Workaround
x },@mozilla.org/network/idn-service;1,,nsIDNService ,rel:libnecko.so
Workaround: This can be worked around by disabling IDN support. To do this, you will have to edit compreg.dat, which is located in your Firefox profile directory (Common profile locations).
Open this file with a text editor which understands the line endings in it, such as Wordpad (or your favourite text editor on other platforms), and comment out all lines containing IDN by adding # at the start of the line. For example:
# {4byteshex-2byteshex-2byteshex-2byteshex-6byteshe
Note that you will have to repeat this edit if you install any themes or extensions, as compreg.dat gets regenerated.
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
On Windows:
d at
Close Mozilla...
edit C:\Documents and Settings\%username%\Application Data\Mozilla\Firefox\Profiles\default.q0hcompreg.
replace all instances of idn-service;1 with idn-service;0
Set compreg.dat to Read Only
Open Mozilla
fixed.
This