[wordup] IDN, Phishing attacks made easier

Adam Shand adam at shand.net
Wed Feb 9 15:52:39 EST 2005 

Eric Johanson is a member of the Shmoo Group (who I've been a part of 
for years) and recently broke the story about an IDN (International 
Domain Names) vulnerability with the way domain names, SSL certificates 
and browsers interact.  None of this is new information but his 
demonstration put's together several known possibilities in a way which 
makes it clear what the effect could be.

Simplified, the problem is that domain names now support non-roman 
characters, and some non-roman characters (eg. a cyrillic "a") are 
indistinguishable from a roman "a" in the browsers location bar.  This 
means that the domain name "p<cyrillic a>ypal.com" is completely 
distinct from paypal.com, even though it's visually indistinguishable 
in your browser (so now all those phishing spam's which encourage you 
to go to your bank's web site and enter your username and password are 
nearly impossible to detect).

If you want to play around with it you can see an example on the Shmoo 
Group website where they've registered a "fake" paypal.com domain name. 
  As you can see it's obviously not PayPal, yet it sure looks like you 
are in the right place (and it even works if you go in via the SSL 
site):

http://www.shmoo.com/idn/

What can you do?  Well it depends on which browser you use ...

* Internet Explorer isn't vulnerable because it's too old to support 
IDN.  There is a plugin from Verisign to support IDN, so if you've 
installed it then you *are* vulnerable.  If you aren't sure if it's 
installed the best thing to do is to simply try the example above and 
see if it works for you.

* Safari is vulnerable.  There is a plugin available called Saft which 
adds lots of useful features to Safari.  The most recent version (and a 
new free "lite" version) will issue a pop-up window letting you know if 
you've gone to an IDN site.

* Gecko based browsers (Mozilla, Netscape, Firefox etc) are vulnerable. 
  If you are using Firefox you can disable IDN completely by typing 
"about:config" into your location bar, searching for the line which 
says "network.enableIDN" and then double clicking it to toggle the 
"value" to "false".  If you are using Mozilla or Netscape I don't know 
of a solution other then upgrading to Firefox, though I'm sure a 
solution will be forthcoming soon.

If all of this is meaningless to you then don't freak out this isn't 
the end of the world.  So long as you type the address of your bank (or 
any other site you wouldn't want compromised) directly into the 
location bar of your browser (or select it from a bookmark you entered) 
then you are safe.  However if you ever trust a link from an email or a 
web page then you're asking for trouble.

Adam.

More information about the wordup mailing list