RE: [xri] Homographic attacks

["Drummond Reed" <drummond.reed@cordance.net>]

Gabe,

I agree with you wrt what the XRI specs can/should do. But it seems to me
that at a minimum an XRI registry can/should safely adopt the policy Dave
points out in Section 7.5 of RFC 3987 (IRI) about only allowing
registrations in one script (except Japanese - Nat, care to elaborate on
that one for us?)

Do you agree?

=Drummond 

-----Original Message-----
From: Wachob, Gabe [mailto:gwachob@visa.com] 
Sent: Tuesday, February 22, 2005 4:29 PM
To: Dave McAlpin; Drummond Reed; Sakimura, Nat; xri@lists.oasis-open.org;
gss-comment@lists.xdi.org
Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis
Subject: RE: [xri] Homographic attacks

I expect that there will be a IRI-level discussion of this and we should
(when it happens) be able to refer folks there. I don't think we can
realistically do more than point out the issue in our security section
and expect people to use whatever best practices and guidelines are
developed for IRIs in general.

In short, this is not a problem we can address at the XRI level, and I'm
not even sure its something that XRI registries should attempt to
address until there's more discussion about this in the i18n and URI
communities. This is something that will be addressed by best practices
and maybe some rules about unicode character mapping (as someone
mentioned) - I don't think there's any XRI-specific issues. 

	-Gabe 

> -----Original Message-----
> From: Dave McAlpin [mailto:Dave.McAlpin@epok.net] 
> Sent: Tuesday, February 22, 2005 4:22 PM
> To: Drummond Reed; Sakimura, Nat; xri@lists.oasis-open.org; 
> gss-comment@lists.xdi.org
> Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis
> Subject: RE: [xri] Homographic attacks
> 
> Section 7.5 of RFC 3987 (IRI) also offers helpful guidance. 
> It suggests,
> for example, that components of an identifier should be made up of
> characters from a single script (with an exception for Japanese)
> because, "As long as names are limited to characters from a single
> script, native writers of a given script or language will 
> know best when
> ambiguities can appear, and how they can be avoided.  What may look
> ambiguous to a stranger may be completely obvious to the 
> average native
> user."
> 
> This doesn't fix tricks like "br0ken" and "1ame", but it does avoid
> international characters that look extremely similar to the reader's
> native script.
> 
> Dave
> 
> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net] 
> Sent: Tuesday, February 22, 2005 4:09 PM
> To: 'Sakimura, Nat'; xri@lists.oasis-open.org; 
> gss-comment@lists.xdi.org
> Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis'
> Subject: RE: [xri] Homographic attacks
> 
> Nat,
> 
> Very good points. I agree with you that we cannot and should 
> not try to
> control this from the XRI specification standpoint - our job there is
> simply
> to warn about the security problem and we're doing that.
> 
> I also agree with your ultimate solution - we need it ASAP!
> 
> My question is, from the perspective of registry services like those
> XDI.ORG
> is planning, where realistically there is the option to institute a
> policy
> preventing registration of homographic characters right from 
> the start,
> do
> you think this is a policy worth having?
> 
> It seems that there are two options for such a policy:
> 
> 1) Restricting the UCS character ranges that are allowed in 
> registrated
> strings (as recommended near the end of
> http://www.icann.org/committees/idn/idn-codepoint-paper.htm), or
> 
> 2) Not allowing the registration of "cross-script" strings whose UCS
> character ranges cross script boundaries (or at least requiring human
> review
> of such registrations).
> 
> The latter option seems that it might be a much more elegant way of
> eliminating much of the problem without the much harder analysis
> required to
> identify all potentially problematic UCS code points.
> 
> Do you agree?
> 
> =Drummond 
> 
> -----Original Message-----
> From: Sakimura, Nat [mailto:n-sakimura@nri.co.jp] 
> Sent: Monday, February 21, 2005 9:47 PM
> To: Drummond Reed; Dave McAlpin; xri@lists.oasis-open.org
> Cc: Adam C. Engst; glenn@glennf.com
> Subject: RE: [xri] Homographic attacks
> 
> Hi. 
> 
> I have written about this type of attack on my blog a while ago.
> Unfortunately, it is in Japanese :-)
> 
> Now, my question is, do you really want to go into this 
> policing policy?
> 
> I do not. Not at least in the spec. This is a problem which should be
> coped by another way. 
> Remeber: Not only it is difficult to list all look alikes, a 
> code point
> in a different language-font 
> set looks completely different. 
> 
> IMHO, this kind of spoofing attack is just revelaing that the
> conventional Verisign type of 
> certificate is certifying nothing but the certificate holder 
> exists, and
> the certificate holder 
> is the regitimate owner of that domain. Nothing less, nothing more. 
> 
> To mitigate the current Phishing problem, we need something else: a
> service that certifies 
> this site realy is the site owned by Bank A that you are dealing with.
> Actually, I am in the 
> process of creating such service. 
>  
> 
> > -----Original Message-----
> > From: Drummond Reed [mailto:drummond.reed@cordance.net] 
> > Sent: Tuesday, February 22, 2005 11:16 AM
> > To: 'Dave McAlpin'; xri@lists.oasis-open.org
> > Cc: 'Adam C. Engst'; glenn@glennf.com
> > Subject: RE: [xri] Homographic attacks
> > 
> > Dave, here's some revised text for the Security and Data 
> > Protection section
> > 3.5 (Spoofing) that adds more info about the type of attacks 
> > Glenn was writing about. Feel free to edit and fold this into 
> > your the O5 draft.
> > 
> > =Drummond 
> > 
> > ***START PROPOSED TEXT***
> > 
> > One particularly important security consideration is 
> > spoofing, covered both in [URI] and thoroughly in [IRI] 
> > Section 7.5, but deserving of repetition here. Spoofing is a 
> > semantic attack in which an XRI is deliberately constructed 
> > to deceive the user into believing it represents one resource 
> > when it fact it represents another. A common example is using 
> > mixing script forms of multiple languages to create 
> > homographic characters (characters that look alike, even to 
> > the trained eye). A common example is the Latin "A", the 
> > Greek "Alpha", and the Cyrillic "A".
> > 
> > Spoofing has been used extensively in email "phishing" 
> > attacks. As more browsers add support for Internationalized 
> > Domain Names (IDN), it is also starting to be used in online 
> > web links ("pharming"), where not only are some users less 
> > suspicious of fraudelent Web addresses, but the attacker may 
> > even register a corresponding SSL/TLS certificate to make the 
> > fradulent site look completely secure.
> > 
> > To help prevent this problem, XRI registries SHOULD institute 
> > policies preventing the registration of deceptive or 
> > homographic XRIs, and user agents that process XRIs SHOULD 
> > incorporate safeguards such as warning users when XRIs 
> > contain common homographic characters.
> > 
> > ***END***
> > 
> > -----Original Message-----
> > From: Dave McAlpin [mailto:Dave.McAlpin@epok.net]
> > Sent: Monday, February 21, 2005 5:08 PM
> > To: Drummond Reed; xri@lists.oasis-open.org
> > Cc: Adam C. Engst; glenn@glennf.com
> > Subject: RE: [xri] Homographic attacks
> > 
> > This is already covered to some degree in section 3.5 of 
> > Syntax. Can you take a look at that section and see what's missing?
> > 
> > -----Original Message-----
> > From: Drummond Reed [mailto:drummond.reed@cordance.net]
> > Sent: Monday, February 21, 2005 5:05 PM
> > To: xri@lists.oasis-open.org
> > Cc: 'Adam C. Engst'; glenn@glennf.com
> > Subject: [xri] Homographic attacks
> > 
> > Peter et al:
> > 
> > As phishing continues on the rise, there is an excellent 
> > series of articles in TidBITs by Glenn Fleishman about 
> > "homograph" attacks where the attacker registers an 
> > international domain name that is - even to the trained eye
> > -
> > undistinguishable from the real thing due to the fact that it 
> > uses Unicode characters that are appear extremely similar to 
> > ASCII characters.
> > 
> > It's become serious enough that they are warning Firefox 
> > users to disable IDN until Firefox comes up with a fix.
> > 
> > I'm copying Adam and Glenn so they know that this is 
> > something the XRI TC is interested in helping prevent with 
> > XRIs. (Adam, Glenn, if you want to reply with more info, you 
> > can reply back to me and I'll forward to the list.)
> > 
> > Peter, I think we should mention this in the Security 
> > Considerations section of XRI Syntax.
> > 
> > =Drummond 
> >