[cap-talk] Firefox breaks the principle of identifiability
Ben Laurie
ben at algroup.co.uk
Mon Feb 7 21:40:28 EST 2005
Ka-Ping Yee wrote:
> Recently, the Shmoo Group discovered that Firefox is vulnerable
> to precisely the exploit that i predicted in my 2002 paper [1] on
> Secure Interaction Design (and i'm sure many others predicted it
> years before that): its support for Internationalized Domain Names
> includes displaying a Unicode domain name in the location bar,
> thereby allowing domains to indistinguishably spoof other domains.
>
> http://shmoo.com/idn/
>
> In their example, the domain "www.p\u0430ypal.com" spoofs
> "www.paypal.com". The "\u0430" character (encoded in HTML as
> а) is a lowercase Cyrillic "a", which looks exactly the
> same as the Latin small letter "a".
>
> The domain name system supports these Unicode domains by encoding
> them into standard domain names -- in this case the actual domain
> accessed is www.xn--pypal-4ve.com, but Firefox displays it as
> "www.paypal.com". This works EVEN IF HTTPS IS USED.
>
> If you type "www.xn--paypal-4ve.com" into the location bar, then
> the domain displays as "www.xn--paypal-4ve.com". If you click
> on the link containing the Cyrillic "a", the domain displays as
> "www.paypal.com" even though you are looking at exactly the same
> site. So Firefox actually violates the principle of identifiability
> in both directions -- it makes different domains look the same,
> and also makes the same domains look different.
>
> Unfortunately, so far the response to this announcement has only
> been "Oh well. Too bad!" No one can see any other way to make
> IDNs work. The only solution is to turn off IDNs altogether.
>
> Pet names would be a good step toward a solution of this problem.
> However, i'm inclined to think that Unicode domain names are just
> inherently insecure and should not be used. Even if users learn
> to identify sites with pet names, they are still vulnerable to
> confusion if they look at the location bar, read the name there,
> and type it into the location bar later.
>
> What do you think of this problem?
Being one of the Shmoo, I've been thinking about this for a while, and I
have to confess I don't have any good answers. I do, however, have some
observations...
a) It isn't only Firefox.
b) IE only doesn't do it because it doesn't do IDN
c) On my laptop (FreeBSD), the Cyrillic a _does_ look different
d) Verisign are in violation of the ICANN recommendations on IDN - they
should not allow mixed character sets.
d is actually the best answer I've heard to this, especially if you
combine it with some kind of character set indicator.
Cheers,
Ben.
More information about the cap-talk
mailing list