Unicode characters can be used to spoof URLs

VERIFIED DUPLICATE of bug 279099

Status

()

Core
Security
--
major
VERIFIED DUPLICATE of bug 279099
14 years ago
13 years ago

People

(Reporter: bugzilla, Assigned: dveditz)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

14 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0

In Unicode, more than one character can look the same: for example, latin 'a'
and Cyrillic 'а' look identical. This enables URLs such as
http://www.pаypal.com/ to be created. Supposedly, the registrar is meant to
associate a character set with each domain label, and to filter the characters
in the label against that character set. It clearly does not appear that
Verisign has done this. Therefore, we must do so, as this otherwise leaves a
giant spoofing hole wide open.

Further, the about: page workaround of turning off IDNs has widely been reported
as not working.

See http://www.shmoo.com/idn/homograph.txt for more details.

Reproducible: Always

Steps to Reproduce:
1. Visit http://www.pаypal.com/
2. See that it is not the same as http://www.paypal.com/
3.

Actual Results:  
Went to a spoofed website, which was not the same as the real website with
all-ASCII name.

Expected Results:  
Either:
* reported the URL as spoofed, and refused to visit it, or
* visited the URL that it visually purported to be
(Reporter)

Comment 1

14 years ago
More references for the technical issues behind this bug:
* IDN Language Table Registry http://www.iana.org/assignments/idn/ 
*  Draft Unicode Technical Report #36, Security Considerations for the
Implementation of Unicode and Related Technology
http://www.unicode.org/reports/tr36/tr36-1.html
(Reporter)

Comment 2

14 years ago
See also this very interesting reference:
* Method for detecting a homographic attack in a webpage by means of language
identification and comparison http://www.priorartdatabase.com/IPCOM/000010253/
(Reporter)

Comment 3

14 years ago
And this as well:
*  "The Homograph Attack", Communications of the ACM, 45(2):128, February 2002
http://www.cs.technion.ac.il/~gabr/papers/homograph.html

Comment 4

14 years ago
Turning off IDN is not a good long-term solution, and neither is expecting the
average user to know how to check code pages, look for minute serif differences,
pull out a hex editor, etc.

However, phishing attempts *can* be detected by looking for domains that are a
combination of ordinary characters (based on the user's language setting) and 
at least one character whose traditional rendering might be confused with
ordinary letters or numbers.

Upon detection, the browser could provide a notification bar (similar to those
seen on pop-up and plug-in install attempts) with a message such as:

     This site may be trying to trick you into believing it
     is www.paypal.com. Click _here_ for more details.

In the above message, the hostname would be "translated" to the possible
equivalent "look-alike" string. Clicking the message would provide a window with
a Joe Sixpack-level explanation of the issue (without getting into details about
Unicode) and would highlight and describe any characters that might be confused.

This general approach could be used for any user language, and might also be
useful for semi-homographs, such as letters with diatric or accent marks that
might go unnoticed.

Comment 5

14 years ago
Confirming. No dupes found. All/all. Core/Security: general.

http://news.netcraft.com/archives/2005/02/07/nonmicrosoft_browsers_have_spoofing_flaw.html
Assignee: bugs → dveditz
Status: UNCONFIRMED → NEW
Component: Location Bar and Autocomplete → Security: General
Ever confirmed: true
OS: Windows 2000 → All
Product: Firefox → Core
QA Contact: davidpjames
Hardware: PC → All
Version: unspecified → Trunk
(Assignee)

Comment 6

14 years ago

*** This bug has been marked as a duplicate of 279099 ***
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → DUPLICATE

Updated

14 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.