 BeesTeaNetwork JanitorPremium,VIP
join:2003-03-08
00000 | The state of homograph attacks quote:
The state of homograph attacks
I. Background
International Domain Name [IDN] support in modern browsers allows attackers to
spoof domain name URLs + SSL certs.
II. Description
In December 2001, a paper was released describing Homograph attacks [1]. This
new attack allows an attacker/phisher to spoof the domain/URLs of businesses.
At the time this paper was written, no browsers had implemented Unicode/UTF8
domain name resolution.
Fast forward to today: Verisign has championed International Domain Names
(IDN) [2]. RACES has been replaced with PUNYCODE [3]. Every recent
gecko/khtml based browser implements IDN (which is just about every browser
[4]
except for IE; plug-in are available [5]).
III. The details
Proof of concept URL:
»www.shmoo.com/idn/
Clicking on any of the two links in the above webpage using anything but IE
should result in a spoofed paypal.com webpage.
The links are directed at "http://www.pаypal.com/", which the browsers
punycode handlers render as www.xn--pypal-4ve.com.
This is one example URL - - there are now many ways to display any domain name
on a browser, as there are a huge number of codepages/scripts which look very
similar to latin charsets.
Phishing attacks are the largest growing class of attacks on the internet
today. I find it amusing that one of the large early adopters of IDN offer an
'Anti-Phishing Solution' [6].
Finally, as a business trying to protect their identity, IDN makes their life
very difficult. It is expected there will be many domain name related
conflicts related to IDN.
Vulnerable browsers include (but are not limited to):
Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
Other comment:
There are some inconsistencies with how the browsers match the host name
with the Common Name (CN) in the SSL cert. Most browsers seem to match the
punycode encoded hostname with the CN, yet a few (try to) match the raw UTF8
with the CN. In practice, this makes it impossible to provide 'SSL' services
effectively, ignoring the fact that IE doesn't yet support them.
IV. Detection
There are a few methods to detect that you are under a spoof attack. One
easy
method is to cut & paste the url you are accessing into notepad or some other
tool (under OSX, paste into a terminal window) which will allow you to view
what character set/pagecode the string is in. You can also view the details
of
the SSL cert, to see if it's using a punycode wrapped version of the domain
(starting with the string 'xn-'.
V. Workaround
You can disable IDN support in mozilla products by setting 'network.enableIDN'
to false. There is no workaround known for Opera or Safari.
VI. Vendor Responses
Verisign: No response yet.
Apple: No response yet.
Opera: They believe they have correctly implemented IDN, and will not be
making any changes.
Mozilla: Working on finding a good long-term solution; provided clear
workaround for disabling IDN.
VII. Timeline
2002 - Original paper published on homograph attacks
2002-2005 - Verisign pushes IDN, and browsers start adding support for it
Jan 19, 2005 - Vendors notified of vulnerability
Feb 6, 2005 - Public disclosure @shmoocon 2005
VIII. Copyright
This paper is copyright 2005, Eric Johanson ericj@shmoo.com
Assistance provided by:
- The Shmoo Group
- The Ghetto Hackers
Thank you, you know who you are.
References:
[1] »www.cs.technion.ac.il/~gabr/pape···aph.html
[2] »www.verisign.com/products-servic···dex.html
[3] »mct.verisign-grs.com/index.shtml
[4] »www.verisign.com/products-servic···01000002
[5] »www.idnnow.com/index.jsp
[6] »www.verisign.com/verisign-busine···lutions/
»www.shmoo.com/idn/homograph.txt
-BeesT
--
echo 16i[q]sa[ln0=aln100%Pln100/snlbx]sbA0D4D465452snlb xq |dc |
|
|
|
ghickenPremium
join:2004-12-01
Taneytown, MD | Thanks for the information. I just set my Firefox browser for network.enableIDN = false.
 |
|
 sybilleNot only "just visiting"Premium
join:2004-04-06
France | reply to BeesTea
Thanks, BeesTea  .
I've set the IDN value to false in Firefox as per the workaround and then confirmed the difference at the shmoo.com proof of concept page.
It's such an easy modification to make (in about:config or user.js) that it seems to me that anyone using a Mozilla browser would want to make sure to implement the change. Hopefully a fix (as opposed to a workaround) will be implemented in future released of the different Mozilla browsers. |
|
BPremium,MVM
join:2000-10-28 | Viewed the demo page -- the funky "a" was clearly visible when hovering over the URL. I would never click on that.
Eternal vigilance is the price of liberty, or something like that?
I'm not sure if that default should be changed or not.
The one thing tipping the scales is Verisign's support. If they're for it, it's almost assuredly a bad thing. 
-- B
--
In a realm outside causality and function |
|
 CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13
1 edit | from
»it.slashdot.org/article.pl?sid=0···from=rss
"..
To disable IDN as a workaround for this problem (on Gecko-based browsers): hit about:config and set network.enableIDN to false.
That is a great suggestion, except for the part where it does not work.
Go ahead, make the change, then restart your browser. Now go look at about:config again. Yup, still set to false. Now go see if it the setting worked. It does not. So at least with Firefox 1.0 just took a bad situation and made it worse. Now people will think turning off this setting will actually accompolish something and protect them and it will not. .."
edit: also
»forums.mozillazine.org/viewtopic···t=214914
Cudni |
|
 KickrootJava HeathenPremium
join:2002-11-24
Glassboro, NJ | said by Cudni:That is a great suggestion, except for the part where it does not work. I saw that same post on Slashdot, and think it's worth reiterating...IT DOES NOT WORK AFTER YOU RESTART THE BROWSER.
Even though the setting displays false, it's still enabled. I find that to be a serious bug, and I would expect it to get fixed quickly.
Although, I'm still using v0.93, and disabling IDN does in fact work. I think I'll wait to upgrade until IDN can be disabled properly. It must be a bug for 1.0 and above.... |
|
BPremium,MVM
join:2000-10-28 |
For what it's worth, same failure in Mozilla (the real one) 1.7.2. Definitely a problem in the main tree.
-- B
--
In a realm outside causality and function
|
|
 DanielPremium,MVM
join:2000-06-26
San Francisco, CA
1 edit | reply to BeesTea
Ironic that it was the fact that IE once again didn't embrace a standard that got them off the hook on this one. Funny how that works.
By the way, for you Firefox users, go to:
..into your address bar, and in the filter bar at top of the settings page that comes up do a search for IDN. Double-click the line and it'll set it to false.
Edit: Just saw the post above...wow. I'm sure we'll have a fix within a day.
--
grep understanding knowledge |
|
BPremium,MVM
join:2000-10-28 |
But it doesn't work!
Has disabling it worked for anyone here?
-- B
--
In a realm outside causality and function
|
|
CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13
2 edits | acehyde says it worked for him
edit: (now confirmed it did not work)
»/. has an article about Phishing exploit w/Firefox
edit: the only time i can make exploit fails is if i make config change everytime i start FF
Cudni |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| Re: fix breaks on browser restart said by Cudni:the only time i can make exploit fails is if i make config change everytime i start FF Same here - When I exit the browser and restart, the spoof works. IDN is still set "false". I have to change to true and back to false to get the fix to work again.
Although the small a in paypal shows on the spoofed page, it's something that could be missed by casual users.
However, in the "SSL" page the true URL shows when viewing the "Security" certificate (see screenshot above). This is one more reason to view the certificates rather than simply assuming the lock means the site is good.
Looks like a fix is needed. I'm surprised that Opera sees no problem with it... 
MS finally has one thing to chuckle about... |
|
BPremium,MVM
join:2000-10-28 | I only hope this is isolated and doesn't apply to OTHER configuration options kept in the PREFS.JS, boolean or not.
-- B
--
In a realm outside causality and function |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| Mozilla forum, bug links Looks like the issue is being addressed over at Mozillazine - see discussion at
»forums.mozillazine.org/viewtopic···t=214828
Bug report at »bugzilla.mozilla.org/show_bug.cgi?id=281365
Duplicate at
»bugzilla.mozilla.org/show_bug.cgi?id=281377 |
|
CudniLa Merma - VigiladoPremium,MVM
join:2003-12-20
Someshire
kudos:13 | reply to BeesTea
Re: The state of homograph attacks Looks fixed in later (non official builds). I'm using moox build (just installed)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b) Gecko/20050206 Firefox/1.0+ (MOOX M3)
and get page not found
Cudni
--
Whether you think that you can, or that you can't, you are usually right.
Help yourself so God can help you..it does exactly what it says on the sig |
|
sybilleNot only "just visiting"Premium
join:2004-04-06
France | reply to BeesTea
The preference does not revert for me, even after restarting Firefox:
Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
So I use Slackware. Slackware 10.1 was released today, and in getting ready to upgrade my installation I was comparing the packages I've installed with the list of all available Slackware packages. Along the way, and as a result of this thread, I happened to notice that there is a separate Slackware package for IDN. I've never had that package installed, and I don't know if that makes any difference for setting the preference in Firefox. I don't suppose it would, but I don't know, either.
In any case, I don't lose the IDN setting after restarting Firefox. |
|
BPremium,MVM
join:2000-10-28 |
But do you lose the BEHAVIOR?
None of us are losing the setting -- in about:config and PREFS.JS the setting stays "false", but the EFFECT is gone after restarting the browser.
Without IDN enabled I doubt you see a difference to begin with?
-- B
--
In a realm outside causality and function
|
|
 keith2468Premium,MVM
join:2001-02-03
Winnipeg, MB | reply to BeesTea
I get page not found, in FF and in MSIE 6 sp2. |
|
sybilleNot only "just visiting"Premium
join:2004-04-06
France | reply to B
Oh, duh. Yes, I do lose the behavior. Also true if I change the preference with user.js rather than in about:config.
said by B:Without IDN enabled I doubt you see a difference to begin with? I do see a difference, before restarting. The fake paypal site comes up if the preference is not set manually for the session. In the location bar, the first letter "a" in the fake URL for "paypal" is not an "a" but instead is a symbol (the sort I'd see for non-Western characters before I imported unicode fonts over from my now defunct Windows partition, but that's another story...).
Too bad the the Mozilla workaround doesn't seem to be working. |
|
BPremium,MVM
join:2000-10-28 |
Okay, I thought that without the IDN package you mentioned the exploit wouldn't change at all. (Which is apparently true in part, since the "a" is not rendered properly but might be if you were to install the package.)
-- B
--
In a realm outside causality and function
|
|
sybilleNot only "just visiting"Premium
join:2004-04-06
France | So it seems that there was no IDN library package in Slackware 10.0. This appears to be a new addition in today's 10.1 release. Interesting to encounter this international domain names issue in two apparently unrelated contexts...
Anyway, even if the workaround were working, it still seems important to verify URLs before entering financial information and so on. It's not as though any technology can prevent a person from falling for the social engineering tactic du jour... |
|
