Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.

Avenue4 LLCRead Message Promoted Post

Home / Blogs

IDN and Homographs Spoofing

James Seng

There is a published spoofing attack using homographs IDN. By using a Cyrillic SMALL LETTER A (U+430), Securnia is able to pretend to be http://www.paypal.com/.

Actually this is well-documented in RFC 3490 under the Security Consideration:

"To help prevent confusion between characters that are visually similar, it is suggested that implementations provide visual indications where a domain name contains multiple scripts.  Such mechanisms can also be used to show when a name contains a mixture of simplified and traditional Chinese characters, or to distinguish zero and one from O and l.  DNS zone adminstrators may impose restrictions (subject to the limitations in section 2) that try to minimize homographs."

The problem is that many of the current IDN implementations did not provide any indication that it is an IDN names (instead of a normal one). In fact, Mark Davis1 published a snipplet of code to demostrate how to do despoofing in 2002.

But the fact Secunia is able to register paypal.com (with Cyrillic a), ie xn--pypal-4ve.com begs a question - why are they able to do so?

Even though we have been asking Verisign registry to implement RFC 3743 (aka JET Guidelines) or to follow ICANN IDN Guidelines (specifically on language tag) for many years, they have not done so, and instead opt to allow any IDN strings to be registered. This homographs spoofing attack would not be possible if Verisign have done appropriate step to associate each registered internationalized domain name with one language or set of languages and employ language-specific registration and administration rules that are documented and publicly available (as recommended by ICANN IDN Guideline).

Now, given Verisign is a security company, the "Trust Company", and they have been following the IDN standardization work from the beginning, I am sure this is well-known to them. Lets hope this report will help change their position before a real phishing attack occurs.

1 Mark Davis is the president of Unicode Consortium.

By James Seng, Vice President
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

Re: IDN and Homographs Spoofing Geoff Sisson  –  Feb 08, 2005 4:22 AM PST

While limiting IDN labels to codepoints associated with a single language (as per the ICANN IDN guidelines and RFC 3743) does significantly mitigate the problem, it does not eliminate it.  For example the first label in ѕе&#x0445.com contains Cyrillic codepoints only, yet in many browsers is easily confused with its US-ASCII equivalent.  This isn't an indictement of the guidelines, just a warning that they should not be viewed as a magic bullet.

Re: IDN and Homographs Spoofing Geoff Sisson  –  Feb 08, 2005 4:44 AM PST

[ The link in my previous comment was incorrectly rendered; it should have been: ѕех.com ]

Re: IDN and Homographs Spoofing James Seng  –  Feb 08, 2005 6:45 PM PST

Update: Mark Davis poined out a UTR #36 Security Consideration for Implementation of Unicode and other Related Technologies.

Ben Laurie pointed out I have incorrectly attribute the IDN spoofing to Securnia - it was Eric Johnson.

Re: IDN and Homographs Spoofing James Seng  –  Feb 17, 2005 4:07 PM PST

Update: Found a better reference to the idea Mark Davis proposed back in 2002.

Re: IDN and Homographs Spoofing Jerry Burns  –  Mar 01, 2006 8:40 PM PST

I own the Cyrillic IDN you list (not paypal).  I bought it for fun, not phishing, like buying a fake Rolex that I would never wear. I hate to sound defensive, but you are certainly not the only one to pick on that one domain. It does not pretend to be the original site.  Phony bank, credit card, etc sites and scum/spyware are the real threat. 

Thanks for mentioning paypal, but why pick on my site?  There are several variations of triple X, xbox, xp dot com and many other IDN sites.  If someone registers an ASCII domain name with the word "Microsoft" in it, they are likely to be sued if they use it to deceive. Let the current system handle it along with MS IE7 and other anti-phishing software.

To post comments, please login or create an account.

Related

Topics

Mobile Internet

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Promoted Post

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s.