|
There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be http://www.paypal.com/.
Actually this is well-documented in RFC 3490 under the Security Consideration:
“To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts. Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l. DNS zone adminstrators may impose restrictions (subject to the limitations in section 2) that try to minimize homographs.”
The problem is that many of the current IDN implementations did not provide any indication that it is an IDN names (instead of a normal one). In fact, Mark Davis1 published a snipplet of code to demostrate how to do despoofing in 2002.
But the fact Secunia is able to register paypal.com (with Cyrillic a), ie xn—pypal-4ve.com begs a question - why are they able to do so?
Even though we have been asking Verisign registry to implement RFC 3743 (aka JET Guidelines) or to follow ICANN IDN Guidelines (specifically on language tag) for many years, they have not done so, and instead opt to allow any IDN strings to be registered. This homographs spoofing attack would not be possible if Verisign have done appropriate step to associate each registered internationalized domain name with one language or set of languages and employ language-specific registration and administration rules that are documented and publicly available (as recommended by ICANN IDN Guideline).
Now, given Verisign is a security company, the “Trust Company”, and they have been following the IDN standardization work from the beginning, I am sure this is well-known to them. Lets hope this report will help change their position before a real phishing attack occurs.
1 Mark Davis is the president of Unicode Consortium.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byRadix
Sponsored byVerisign
Sponsored byCSC
Sponsored byWhoisXML API
While limiting IDN labels to codepoints associated with a single language (as per the ICANN IDN guidelines and RFC 3743) does significantly mitigate the problem, it does not eliminate it. For example the first label in ѕех.com contains Cyrillic codepoints only, yet in many browsers is easily confused with its US-ASCII equivalent. This isn’t an indictement of the guidelines, just a warning that they should not be viewed as a magic bullet.
[ The link in my previous comment was incorrectly rendered; it should have been: ѕех.com ]
Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.
Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia - it was Eric Johnson.
Update: Found a better reference to the idea Mark Davis proposed back in 2002.
I own the Cyrillic IDN you list (not paypal). I bought it for fun, not phishing, like buying a fake Rolex that I would never wear. I hate to sound defensive, but you are certainly not the only one to pick on that one domain. It does not pretend to be the original site. Phony bank, credit card, etc sites and scum/spyware are the real threat.
Thanks for mentioning paypal, but why pick on my site? There are several variations of triple X, xbox, xp dot com and many other IDN sites. If someone registers an ASCII domain name with the word “Microsoft” in it, they are likely to be sued if they use it to deceive. Let the current system handle it along with MS IE7 and other anti-phishing software.