Don't Trust Your Eyes or URLs (was Re: TidBITS#766/14-Feb-05)
R.A. Hettinga
rah at shipwright.com
Mon Feb 14 20:33:19 PST 2005
At 6:21 PM -0800 2/14/05, TidBITS Editors wrote:
>Don't Trust Your Eyes or URLs
>-----------------------------
> by Glenn Fleishman <glenn at tidbits.com>
>
> The clever folks at the Shmoo Group, a bunch of interesting
> security folks who punch holes in assumptions about what's
> secure on the Internet, have discovered a simple way to fool
> most browsers into believing that they've connected to a secure
> Web site when they've been spoofed into connecting to a rogue
> location with a different name. It's ironic, but Internet Explorer
> is entirely exempt from this spoof. Opera, Safari and KHTML-based
> browsers, and all Mozilla and Firefox browsers suffer from this
> weakness on all platforms.
>
><http://www.shmoo.com/>
><http://www.shmoo.com/idn/homograph.txt>
>
> In brief, the Shmoos found that a poorly implemented method
> of allowing international language encoding within domain names,
> called International Domain Name (IDN) support, allows a malicious
> party to display what appears to be one domain name in the
> Location field of a browser while connecting you to another.
> Phishing scams have just become more difficult to identify.
>
> This exploit is made possible by a system called "punycode,"
> which has been widely adopted according to the Shmoo Group.
> Domain names that use characters outside of unaccented Western
> alphabet letters via Unicode/UTF-8 are converted into a string
> of Roman letters (see Matt Neuburg's "Two Bytes of the Cherry:
> Unicode and Mac OS X" for more information on Unicode). This
> conversion isn't a problem, per se: it means that domain names
> outside of the English character set can be used freely without
> confusing browsers and can be registered using simple English
> characters for backwards compatibility within the domain naming
> infrastructure.
>
><http://db.tidbits.com/getbits.acgi?tbser=1217>
>
> The flaw is twofold: first, affected browsers display whatever the
> encoded version of the character is, which might look identical to
> another language's character. For instance, the Shmoos use the
> Russian lower-case letter A, which is encoded as "&1072;" in UTF-8
> using decimal (base 10) notation, and displays in browsers that
> support IDN as a lower-case A indistinguishable from a Roman
> lowercase A.
>
><http://www.fileformat.info/info/unicode/char/0430/>
>
> The second problem leads from the first: it's possible
> to have a legitimate SSL (Secure Sockets Layer) digital
> certificate for the punycode-based domain name. Thus, in
> an example that the Schmoos posted for a while (now replaced),
> you see "https://www.paypal.com/" in your browser URL field,
> and the SSL signals are all there - you get no warnings, the
> lock icon is present, and Firefox's Security tab in the Page
> Info window says the Web site's identity is verified.
>
> Click View in that same tab in Firefox, and you'll see
> the full punycode name of the Web site, however, which is
> "www.xn--pypal-4ve.com". Copy the URL from the Location
> field and paste it into Terminal, and you'll see the encoded
> version in standard UTF-8 format, too, which looks like
> "www.p&1072;ypal.com".
>
> I don't know that there's an easy solution to this problem.
> It's the result of choice by the developers of the various
> browsers to display precisely what a Unicode character looks
> like, which is reasonable enough. But at the same time they
> use a kludgy, opaque hack in the background to map that Unicode
> character to an English character to provide full backwards
> compatibility with what was once a U.S.-centric domain naming
> system, one that retains substantial vestiges of that history.
>
> If you're a Firefox user, I recommend obtaining and installing
> a utility called SpoofStick, which alerts you to what is being
> called "homograph" spoofing; that is, the character or glyph looks
> like another, unrelated glyph. If you visit the Shmoo site with
> SpoofStick installed, you get a big lovely warning.
>
><http://www.corestreet.com/spoofstick/>
>
> Trust has gone out the window when you follow links in email or
> on Web sites. There's no longer a way to be sure that the domain
> name you're visiting is the one you think you are unless you check
> the URL out in Terminal or have SpoofStick installed.
>
> Realistically, the upshot of this situation is that you must be
> even more careful about following links you receive in email to
> sites that ask for sensitive information. A message that purports
> to be from PayPal customer service, for instance, may look right
> and even use URLs that appear to connect to PayPal's site, but
> could in fact be taking you to another site designed to capture
> your username and password. The likelihood of falling victim to
> a spoofed URL on the Web itself is less likely, assuming you start
> from a site that's a relatively trusted source. When in doubt,
> fall back on common sense and check the URL by pasting suspect
> URLs into Terminal to see if they're concealing any unusual
> Unicode characters. Hopefully we'll see browser fixes soon:
> simply displaying the full punycode-based domain name alongside
> its actual representation would at least highlight what's
> happening behind the scenes without interfering with navigation
> or Web pages.
--
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
More information about the cypherpunks-legacy
mailing list