Shmoo Group Finds Exploit For non-IE Browsers 621
shut_up_man writes "Saw this on Boing Boing: East coast hacker con Shmoocon ended today and they had a nasty browser exploit to show off... using International Domain Name (IDN) character support to display fake domain names in links and the address bar. Their examples use Paypal (with SSL too) and this looks very useful for phishing attacks. Interesting note that it works in every browser *except* IE (which makes this exploit a lot less dangerous in the end, I suppose)."v The reason IE isn't vulnerable is because it doesn't natively support IDN; with the right plug-in, it too is vulnerable.
Are phishers going to bother with this, though? (Score:5, Interesting)
Shmoocon IDN Demo (Score:1, Interesting)
-caes
Known for years.... (Score:5, Interesting)
On the other hand, no-one really seems sure of the best way to fix it... One option is obviously to mark somehow when non-ASCII characters are used, but while this will help the people who only want ASCII URLs, it will still leave the problem for everyone who wants to use this extended system, making it effectively useless....
IDNs were a bad idea anyway (Score:4, Interesting)
There are so many characters that look alike, that it is trivial to register a domain name that will look the same as another one. Typically the different character would only be recognised by a native that used that character, although using it alongside normal English characters would probably throw them off as well.
Solution? Maybe an "IDN" icon in the URL bar, or a warning if an IDN uses a mixture of normal English characters with some foreign characters in an IDN.
Not Lynx (Score:4, Interesting)
It doesn't seem to work with Lynx, either. The URLs are obviously different from what they're supposed to be, and they don't point to any site at all.
Lynx does try the URL, though, so it may be possible to set up another domain to catch it, but the URL would still be obviously wrong (something like p%a%y%p%a%l.com)
Re:Another IDN bug on Firefox (Score:2, Interesting)
Look at the source, its obvious there
Visual cues could be more refined than that (Score:3, Interesting)
I think you're on the right track here.
Perhaps the best approach is to use a different font/different color for particular ranges of characters, or characters outside of one's locale setting, so e.g. if my local is Germany, and cyrillic or french accent-grave or what have you characters are loaded, then display that character in bold, or in red, or what have you. Also, tint the background of the URL pink or something, so if the offending character is scrolled off the end of the URL field, the user still gets a visual clue that something is wrong.
I'm sure there are other possibilities, like putting a little warning at the top whenever characters are in the URL that are strikingly similiar to characters in the default local OR standard ASCII, specifying what the character is and perhaps stating something like "http://spo0furl.com IS NOT THE SAME as http://spoofurl.com".
Re:Opera won't fix it? (Score:2, Interesting)
In this case, why not introduce a warning popup if the domain name contains a unicode letter that looks like a normal ASCII letter.
Effort? One lookup table of "bad" unicode letters and a small if-statement before opening a link...
Douglas Hofstadter: When an A is not an A (Score:5, Interesting)
In the case of this exploit, a deep flaw in IDN and computer fonts means that character #1072 is rendered typographically as an "a". The irony is that this is one of the few cases in which a computer can readily tell the difference between "a" and #1072 and a person cannot. The only solution would be rules that prohibit isomorphic characters in typefaces or a in-browser warning system that analyses the potential for ambiguity and alerts the user.
Flag mixing character groups. (Score:3, Interesting)
So you just need to work off of that strength, and flag when someone's mixed any two groups of characters. (I'm not sure what the official Unicode name is for them
Anyway, you start with the assumption that a domain name is going to contain only characters from one of those groups, and you report if it's otherwise. Now, there are still problems with people not looking closely, and confusing 'resume.com' with 'résumé.com' or something similar, but you'll fix the problems with identical glyphs.
The important thing to do is to not assume that ASCII is the only 'good' form, as that would make it rather english-centric (I'm not sure what other languages can map all of their characters into ASCII)
Re:notepad (Score:3, Interesting)
Re:Another IDN bug on Firefox (Score:3, Interesting)
Then again...I have a nice little solution (quite by accident, in fact it's just due to me not bothering to sort my configuration out) anyway: any character sets not installed (all except the default) show up as a funny little square where the characters would normally be. I'd say that it's a pretty good give away when I've got http://www.p[]ypal.com (or there abouts) showing in the address bar...
Re:Spin again (Score:2, Interesting)
By making browsers an issue in the headline, there could be an immense amount of spin generated from this, where there didn't need to be any. Anybody who reads only the headline will thing an entirely different thing from someone who actually reads the comments and gets a perspective.
To give an example of this that swings the other way, do you remember that announcement of the SP2 vulnerability in the stack overflow checking or something like that, that happened a week-or-so ago? And then Microsoft later said that no exploits have been found for it? That's the kind of thing that this headline can induce, because there is no perspective.
Re:Opera won't fix it? (Score:3, Interesting)
That's strange; I just tried it (in FF/1.0) and it remembered the setting and still had the site fail. Now the site still does render as "http://www.paypal.com/" in the status bar, but when I click on it I get a message saying "http://www.paypal.com/ was not found".
This is one case where I like Linux's font support is not perfect. On the Mac the 'a' and the 'a' are indestinguishable, while here the latter is short and squat.
Re:Another IDN bug on Firefox (Score:2, Interesting)
It showed:
Re:Another IDN bug on Firefox (Score:3, Interesting)
Recon spyware coders will implement this in their programs now so it'll work in MSIE.
Re:notepad (Score:2, Interesting)
I'd like to know your definition of 'troll'. In this case, it looks like Microsoft got something right and everybody else got it wrong. In fact, the fix for Firefox is to make it behave like IE (disable support for IDN). I'm guessing anybody who makes mention of this is a troll. I've only been modded down one time, and it was for saying something negative about Firefox [slashdot.org] even though it was completely true. I just recently got modded up for saying something negative about Microsoft [slashdot.org]. I would tell you what I think about that but I'd probably get modded down for that.
Re:Another IDN bug on Firefox (Score:4, Interesting)
Re:Unicode has already fixed this problem (Score:3, Interesting)
Re:IE and Firefox (Score:2, Interesting)
Re:Unicode has already fixed this problem (Score:4, Interesting)
On the other hand, it would prevent spoofing of Greek names using mu and capital omega, or capital A with ring above, or ff ligatures, since there are characters that have them as compatibility decompositions.
This is not a software bug... (Score:2, Interesting)
... it's an authentication problem
This problem is not a software bug. Sort of disabling the feature, I don't see a way of fixing the problem in the client software. I mean, I don't see a software patch (or even a standards modification) fixing the problem.
What it is, is a problem exacerbated complexity. People speak different langauges around the world, often multiple langauges. That rules out an ASCII-centric solution. Even rewriting the standards wouldn't help; the problem boils down to protecting people from tmemselves, or at least human cognition flaws.
Any solution would have to be a process solution. Specifically, the process determining that you are who you say you are. The current process for doing this is flawed for the average person. Your average person is just going to click through warnings which he or she doesn't understand.
Highlight, perhaps? (Score:2, Interesting)
When you go to a page with anything but ordinary ASCII characters perhaps it could highlight the URL blue, or red, or something...
LiveHeaders on FF (Score:3, Interesting)
Looks like I'll have to use that to double check now. Still safer that IE.