At 6:21 PM -0800 2/14/05, TidBITS Editors wrote:
Don't Trust Your Eyes or URLs ----------------------------- by Glenn Fleishman <glenn@tidbits.com>
The clever folks at the Shmoo Group, a bunch of interesting security folks who punch holes in assumptions about what's secure on the Internet, have discovered a simple way to fool most browsers into believing that they've connected to a secure Web site when they've been spoofed into connecting to a rogue location with a different name. It's ironic, but Internet Explorer is entirely exempt from this spoof. Opera, Safari and KHTML-based browsers, and all Mozilla and Firefox browsers suffer from this weakness on all platforms.
<http://www.shmoo.com/> <http://www.shmoo.com/idn/homograph.txt>
In brief, the Shmoos found that a poorly implemented method of allowing international language encoding within domain names, called International Domain Name (IDN) support, allows a malicious party to display what appears to be one domain name in the Location field of a browser while connecting you to another. Phishing scams have just become more difficult to identify.
This exploit is made possible by a system called "punycode," which has been widely adopted according to the Shmoo Group. Domain names that use characters outside of unaccented Western alphabet letters via Unicode/UTF-8 are converted into a string of Roman letters (see Matt Neuburg's "Two Bytes of the Cherry: Unicode and Mac OS X" for more information on Unicode). This conversion isn't a problem, per se: it means that domain names outside of the English character set can be used freely without confusing browsers and can be registered using simple English characters for backwards compatibility within the domain naming infrastructure.
<http://db.tidbits.com/getbits.acgi?tbser=1217>
The flaw is twofold: first, affected browsers display whatever the encoded version of the character is, which might look identical to another language's character. For instance, the Shmoos use the Russian lower-case letter A, which is encoded as "&1072;" in UTF-8 using decimal (base 10) notation, and displays in browsers that support IDN as a lower-case A indistinguishable from a Roman lowercase A.
<http://www.fileformat.info/info/unicode/char/0430/>
The second problem leads from the first: it's possible to have a legitimate SSL (Secure Sockets Layer) digital certificate for the punycode-based domain name. Thus, in an example that the Schmoos posted for a while (now replaced), you see "https://www.paypal.com/" in your browser URL field, and the SSL signals are all there - you get no warnings, the lock icon is present, and Firefox's Security tab in the Page Info window says the Web site's identity is verified.
Click View in that same tab in Firefox, and you'll see the full punycode name of the Web site, however, which is "www.xn--pypal-4ve.com". Copy the URL from the Location field and paste it into Terminal, and you'll see the encoded version in standard UTF-8 format, too, which looks like "www.p&1072;ypal.com".
I don't know that there's an easy solution to this problem. It's the result of choice by the developers of the various browsers to display precisely what a Unicode character looks like, which is reasonable enough. But at the same time they use a kludgy, opaque hack in the background to map that Unicode character to an English character to provide full backwards compatibility with what was once a U.S.-centric domain naming system, one that retains substantial vestiges of that history.
If you're a Firefox user, I recommend obtaining and installing a utility called SpoofStick, which alerts you to what is being called "homograph" spoofing; that is, the character or glyph looks like another, unrelated glyph. If you visit the Shmoo site with SpoofStick installed, you get a big lovely warning.
<http://www.corestreet.com/spoofstick/>
Trust has gone out the window when you follow links in email or on Web sites. There's no longer a way to be sure that the domain name you're visiting is the one you think you are unless you check the URL out in Terminal or have SpoofStick installed.
Realistically, the upshot of this situation is that you must be even more careful about following links you receive in email to sites that ask for sensitive information. A message that purports to be from PayPal customer service, for instance, may look right and even use URLs that appear to connect to PayPal's site, but could in fact be taking you to another site designed to capture your username and password. The likelihood of falling victim to a spoofed URL on the Web itself is less likely, assuming you start from a site that's a relatively trusted source. When in doubt, fall back on common sense and check the URL by pasting suspect URLs into Terminal to see if they're concealing any unusual Unicode characters. Hopefully we'll see browser fixes soon: simply displaying the full punycode-based domain name alongside its actual representation would at least highlight what's happening behind the scenes without interfering with navigation or Web pages.
-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'