Homograph attacks allow for the spoofing of domain name URLs and SSL certificates thanks to a problem with International Domain Name [IDN] support in modern browsers. This is devastating.Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5 Proof of concept. Damn. IE is safe because it doesn't have IDN support built in. Let's see how fast these vendors respond. They need to fix this immediately.
Does this mean I have to go back to Internet Exploder? Seriously--what's the main danger here, for us laymen? That you'll be routed elsewhere when ordering something online?
It means you can't trust links to go where it looks like they go. So if you are going to a web page where you will do anything that should be secret (buying something on ebay, doing online banking, etc....) you should not trust a link in order to get there. Your own bookmarks, or manually entering the URL, are of course safe.
I guess practically it is not *that* much of a problem since you probably wouldn't follow a link from an untrusted site to someplace where you would immediately reveal your credit card. Still pretty embarrassing. I'd expect Firefox will have a fix out later today.
I would *not* recommend going back to IE as there are so many vulnerabilities there even if it doesn't have this one.
The latest Firefox and Mozilla nightly builds fix this issue by disabling IDN support.
Theoretically this is a problematic issue and it is great to see mozilla get a "fix" out so quickly (it took roughly 12 hours.) On the other hand, it's not really a "bug" per se, as the problem is in the IDN specification and not in a faulty implementation of the spec. So really the whole international domain name issue has to be rethought. Still, if you are paranoid about being taken to a spoofed website by following a rouge link from somewhere else on the web, you should update to the latest build at the links above.
Safari users will have to wait and see what Apple is going to do. I wish they would move faster, but on the other hand, I'm not particularly worried for myself, and I don't plan to change browsers or anything. I doubt anyone will actually get scammed by this exploit. Still, it's not the kind of thing you want to see, even in theory, and I hope it gets ironed out.
I get phishing spam from time to time asking me to update my banking information. They look very authentic, with logos and genuine looking URLs and such. This exploit would allow phishers to make their bait more realistic. But people shouldn't be responding to random emails anyway.
Yes. I guess this IDN hole is very similar to the problem with basic access authentication. That is where you supply a name and password on the front of a URL like http://jim:password@digitalmediatree.com. The problem here is that you can make the username and/or password look like a regular website. Like my name could be 'www.microsoft.com/security/update/' and then my password could be some long inscrutable string like ':Be493wjfae9iwj4o3wowjfw/' and only after that, if you really closely examined the whole thing, would you notice the actual site you are being taken to '@evilsite.com'. Thus:
http://www.microsoft.com/security/update/:Be493wjfae9iwj4o3wowjfw/@evilsite.com
Really does look at first glance like a microsoft domain. It's the rather cloaked occurrence of the '@' that is the problem. And it can even be a little trickier than this if they use a numeric IP instead of an ascii domain name.
I think that is the usual phishing mechanism for spoofing URLs. This IDN thing is very similar in that both attacks rely on you misreading an actual correctly formed URL. So I guess there is always something to watch out for, and definitely Marks advice is the best: "people shouldn't be responding to random emails anyway."
Safari users who want an immediate fix for this can download a free lite version of Saft which is a 3rd party program that adds some features to Safari. The lite version only contains the IDN spoofing detection feature.
Note this will cause Safari to crash if you have either PithHemlet or DownloadComment (two other 3rd party plug-ins) installed.
I would only do this if you are really worried about this exploit.
|
- jim 2-07-2005 6:29 pm
Does this mean I have to go back to Internet Exploder? Seriously--what's the main danger here, for us laymen? That you'll be routed elsewhere when ordering something online?
- tom moody 2-07-2005 6:45 pm
It means you can't trust links to go where it looks like they go. So if you are going to a web page where you will do anything that should be secret (buying something on ebay, doing online banking, etc....) you should not trust a link in order to get there. Your own bookmarks, or manually entering the URL, are of course safe.
I guess practically it is not *that* much of a problem since you probably wouldn't follow a link from an untrusted site to someplace where you would immediately reveal your credit card. Still pretty embarrassing. I'd expect Firefox will have a fix out later today.
I would *not* recommend going back to IE as there are so many vulnerabilities there even if it doesn't have this one.
- jim 2-07-2005 6:55 pm
The latest Firefox and Mozilla nightly builds fix this issue by disabling IDN support.
Theoretically this is a problematic issue and it is great to see mozilla get a "fix" out so quickly (it took roughly 12 hours.) On the other hand, it's not really a "bug" per se, as the problem is in the IDN specification and not in a faulty implementation of the spec. So really the whole international domain name issue has to be rethought. Still, if you are paranoid about being taken to a spoofed website by following a rouge link from somewhere else on the web, you should update to the latest build at the links above.
Safari users will have to wait and see what Apple is going to do. I wish they would move faster, but on the other hand, I'm not particularly worried for myself, and I don't plan to change browsers or anything. I doubt anyone will actually get scammed by this exploit. Still, it's not the kind of thing you want to see, even in theory, and I hope it gets ironed out.
- jim 2-09-2005 3:29 am
I get phishing spam from time to time asking me to update my banking information. They look very authentic, with logos and genuine looking URLs and such. This exploit would allow phishers to make their bait more realistic. But people shouldn't be responding to random emails anyway.
- mark 2-09-2005 6:14 am
Yes. I guess this IDN hole is very similar to the problem with basic access authentication. That is where you supply a name and password on the front of a URL like http://jim:password@digitalmediatree.com. The problem here is that you can make the username and/or password look like a regular website. Like my name could be 'www.microsoft.com/security/update/' and then my password could be some long inscrutable string like ':Be493wjfae9iwj4o3wowjfw/' and only after that, if you really closely examined the whole thing, would you notice the actual site you are being taken to '@evilsite.com'. Thus:
http://www.microsoft.com/security/update/:Be493wjfae9iwj4o3wowjfw/@evilsite.com
Really does look at first glance like a microsoft domain. It's the rather cloaked occurrence of the '@' that is the problem. And it can even be a little trickier than this if they use a numeric IP instead of an ascii domain name.
I think that is the usual phishing mechanism for spoofing URLs. This IDN thing is very similar in that both attacks rely on you misreading an actual correctly formed URL. So I guess there is always something to watch out for, and definitely Marks advice is the best: "people shouldn't be responding to random emails anyway."
- jim 2-09-2005 6:31 pm
Safari users who want an immediate fix for this can download a free lite version of Saft which is a 3rd party program that adds some features to Safari. The lite version only contains the IDN spoofing detection feature.
Note this will cause Safari to crash if you have either PithHemlet or DownloadComment (two other 3rd party plug-ins) installed.
I would only do this if you are really worried about this exploit.
- jim 2-09-2005 8:09 pm