[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [idn] homograph attacks
I think the measure to disable IDN is, like a Cantonese saying: "cutting off one's toes to avoid sand worms"...
You are right that we knew all along, in some ways, it may be good that it finally did happen and raised some concern. Now, the right attitude is to address it rather than shy away from it.
Here is a list I put together way back of a list of the characters in the Latin, Greek, Cyrilic, Armenian characters (based on Unicode) that creates potential "homographs"
a 0061 03B1 0430
b 0062 03B2 0432
c 0063 0441 0441
Ä 0111 0256
e 0065 03B5 0435
É 0259 04D9
h 0068 03B7 043D 0570 029C
i 0069 03B9 0456 04C0 0131 0456 0130
j 006A 0458 03F3 0458
k 006B 03BA
Ä 0138 043A
m 006D 03BC 043C
É 026F 0561
É 0270 057A
n 006E 03BD 0578
o 006F 03BF 043E
p 0070 03C1 0440
s 0073 0455 057F
t 0074 03C4 0442
u 0075 057D
x 0078 03C7 0445
y 0079 03C5 04AF 0443
z 007A 03B6
Î 0283 03C3
It is by no means exhaustive, but could be a start to think more about the scope of the issue...
Also, below is a writeup from Hotta-san of JPRS (sent to the APTLD) in response to the issue:
----- Original Message -----
From: "HiroHOTTA" <hotta@jprs.co.jp>
Sent: Saturday, February 12, 2005 2:26 PM
Subject: [member] About recent articles regarding phishing using homographsamong IDNs
> Dear APTLD folks,
>
> As you all may be aware, phishing using homographs among IDNs was
> reported. http://www.shmoo.com/idn/homograph.txt
> The report was also introduced in Japanese language by medias.
> The fear seems too much exaggerated and can be very much reduced
> by JET and ICANN guidelines. So, JPRS made an announcement on
> this (currently in Japanese and will be made in English in a a few
> days).
> Here I send you my immature English translation of our statement.
> I hope every colleague ccTLD will make similar announcement and
> give ease to IDN users.
>
> Regards,
> Hiro
>
> ===============
>
> About recent articles regarding phishing using homographs among IDNs
> - Countermeasures already exist and .JP already follows them-
>
> Recently, several articles pointed out the increased possibilities
> of phishing/attacking using homographs through the introduction of
> IDNs. However, the essence of such problems is not rooted on the
> IDN itself or its applications. Rather, it is based on how domain
> name registries handle homographs among domain name strings. Here,
> explanation is given from the following viewpoints :
> - root of the problem
> - existing countermeasures that are applied to IDN registration by
> domain name registries
> - consideration already given to Japanese .JP domain name
> registration from its beginning
>
> It is worth stating here that although homographs among domain
> names are focused here, such visual illusion is not an effective
> means for phishing, since actual phishing uses more sophisticated
> tricks such as camouflaging or concealing false URIs.
>
> - root of the problem
>
> Domain name is a character string. The variety of characters in
> domain names expands and hence the number of similar-looking
> characters may increase when IDN is introduced. Phishing using
> homographs among IDNs, reported these days, is a trick performed
> by ill-willed web-site owners by making bad use of similar-looking
> characters. Especially, the example of recent articles claims that
> users of IDN-enabled browsers may be visually illuded and phished
> by a false URL containing a non-ASCII character similar to an
> ASCII letter.
>
> The root of this problem is a visual illusion, which already
> existed and is not originally introduced by IDN. For example,
> 1 (digit) and l (letter l) are similar-looking and so as 0 (digit)
> and O (letter O). These character pairs can be used for illusion.
> However, it is true that combinations of similar-looking
> characters increase when IDN is introduced. For example, dash mark
> for prolonged sound and Kanji character for 'digit one', which are
> both used in Japan, are very similar-looking.
>
>
>
> This problem was already identified when IDN was standardized and
> introduced. Countermeasures to suppress the problem were already
> investigated and standardized as RFC by IEIF. In addition,
> guidelines for domain name registries to conduct such
> countermeasures have already been set up by ICANN. As subscribed,
> the countermeasures already exist and how they are effective depend
> on how domain name registries utilize these countermeasures in
> their IDN registration services considering the balance between the
> usability and constraints of IDNs.
>
> - existing countermeasures that are applied to IDN registration by
> domain name registries
>
> As stated above, this problem was already identified and the
> following guidelines were already published
>
> JET guidelines (RFC3743) (http://www.ietf.org/rfc/rfc3743.txt)
>
> Guidelines for IDN registration. They requests registries to define
> languages to be registered as IDNs, define character code points
> allowed in IDNs, tag a language name to each IDN at registration to
> exclude inappropriate characters, and define variants (if any) to
> each character. These guidelines are defined along with table
> formats and algorithms.
>
> ICANN guidelines (http://www.icann.org/general/idn-guidelines-20jun03.htm)
>
> Guidelines for the Implementation of IDNï by registries. They guide
> registries to follow the IDN technical standards, define allowed
> character code points, association of a single language to each IDN,
> cooperate with relevant and interested stakeholder to develop
> language-specific registration policies, etc.
>
> If each registry follows these guidelines in defining their IDN
> registration services, IDNs containing characters in two or more
> languages are excluded, and this results in a situation where visual
> illusion by similar-looking characters are dramatically reduced. For
> example, if a TLD registry defines Cyril character 'ï' to be a
> variant of ASCII 'a' following these guidelines, 'Paypïl' is
> regarded as identical to 'paypal' under the TLD.
>
>
> Most of the registries that currently provide IDN registration
> follow these guidelines or plan to do so. As a result, phishing with
> similar-looking IDNs with IDN-aware browsers is extremely suppressed.
>
> - consideration already given to Japanese .JP domain name
> registration from its beginning
>
> Only Kanji, Hiragana, Katakana, and LDH, which all are usually used
> in Japan, are allowed to be used in Japanese JP domain names.
> Characters that are visually similar to ASCII alphabets, i.e., Cyril
> character 'ï', are not allowed and thus IDNs that are
> similar-looking to ASCII domain names do not exist under .JP TLD.
> For example, 'Paypïl.jp' cannot be registered and cannot be used as
> false site for phishing.
>
> In addition, there are thought to be less visual illusion in
> Japanese character strings than in strings only in English alphabets
> for the people who are familiar with Japanese strings and are not
> familiar with English spelling. These countermeasures have been
> applied to Japanese JP domain names from the time of first
> registration.
>
> However, such problems may tend to take place more easily in a
> service by registries which don't follow these guidelines. As stated
> above, the problem is rooted in IDN registration policies of each
> domain name registry not in IDN-aware applications such as browsers.
> Japanese JP domain names, which were introduced considering the
> above, can be used without stupendous cautions.
>
>
> _______________________________________________
> member mailing list
> member@aptld.org
> http://internetnz.net.nz/mailman/listinfo/member
>
Edmon
----- Original Message -----
From: "tedd" <tedd@sperling.com>
To: <idn@ops.ietf.org>
Cc: <ericj@shmoo.com>
Sent: Tuesday, February 15, 2005 11:08 AM
Subject: [idn] homograph attacks
> Hi people:
>
> You all knew this was going to happen.
>
> http://www.p&1072;ypal.com
>
> You might find --
>
> http://www.shmoo.com/idn/homograph.txt
>
> -- an interesting read.
>
> tedd
> --
> --------------------------------------------------------------------------------
> http://sperling.com/
>