[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Homographic attacks
Yes, I'd agree, if that's the current consensus among Those Who Think
About This. I'd just be sure to say that its unlikely that is the *only*
thing you should do.
-Gabe
> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net]
> Sent: Tuesday, February 22, 2005 4:40 PM
> To: Wachob, Gabe; 'Dave McAlpin'; 'Sakimura, Nat';
> xri@lists.oasis-open.org; gss-comment@lists.xdi.org
> Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis'
> Subject: RE: [xri] Homographic attacks
>
> Gabe,
>
> I agree with you wrt what the XRI specs can/should do. But it
> seems to me
> that at a minimum an XRI registry can/should safely adopt the
> policy Dave
> points out in Section 7.5 of RFC 3987 (IRI) about only allowing
> registrations in one script (except Japanese - Nat, care to
> elaborate on
> that one for us?)
>
> Do you agree?
>
> =Drummond
>
> -----Original Message-----
> From: Wachob, Gabe [mailto:gwachob@visa.com]
> Sent: Tuesday, February 22, 2005 4:29 PM
> To: Dave McAlpin; Drummond Reed; Sakimura, Nat;
> xri@lists.oasis-open.org;
> gss-comment@lists.xdi.org
> Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis
> Subject: RE: [xri] Homographic attacks
>
> I expect that there will be a IRI-level discussion of this
> and we should
> (when it happens) be able to refer folks there. I don't think we can
> realistically do more than point out the issue in our security section
> and expect people to use whatever best practices and guidelines are
> developed for IRIs in general.
>
> In short, this is not a problem we can address at the XRI
> level, and I'm
> not even sure its something that XRI registries should attempt to
> address until there's more discussion about this in the i18n and URI
> communities. This is something that will be addressed by best
> practices
> and maybe some rules about unicode character mapping (as someone
> mentioned) - I don't think there's any XRI-specific issues.
>
> -Gabe
>
> > -----Original Message-----
> > From: Dave McAlpin [mailto:Dave.McAlpin@epok.net]
> > Sent: Tuesday, February 22, 2005 4:22 PM
> > To: Drummond Reed; Sakimura, Nat; xri@lists.oasis-open.org;
> > gss-comment@lists.xdi.org
> > Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis
> > Subject: RE: [xri] Homographic attacks
> >
> > Section 7.5 of RFC 3987 (IRI) also offers helpful guidance.
> > It suggests,
> > for example, that components of an identifier should be made up of
> > characters from a single script (with an exception for Japanese)
> > because, "As long as names are limited to characters from a single
> > script, native writers of a given script or language will
> > know best when
> > ambiguities can appear, and how they can be avoided. What may look
> > ambiguous to a stranger may be completely obvious to the
> > average native
> > user."
> >
> > This doesn't fix tricks like "br0ken" and "1ame", but it does avoid
> > international characters that look extremely similar to the reader's
> > native script.
> >
> > Dave
> >
> > -----Original Message-----
> > From: Drummond Reed [mailto:drummond.reed@cordance.net]
> > Sent: Tuesday, February 22, 2005 4:09 PM
> > To: 'Sakimura, Nat'; xri@lists.oasis-open.org;
> > gss-comment@lists.xdi.org
> > Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis'
> > Subject: RE: [xri] Homographic attacks
> >
> > Nat,
> >
> > Very good points. I agree with you that we cannot and should
> > not try to
> > control this from the XRI specification standpoint - our
> job there is
> > simply
> > to warn about the security problem and we're doing that.
> >
> > I also agree with your ultimate solution - we need it ASAP!
> >
> > My question is, from the perspective of registry services like those
> > XDI.ORG
> > is planning, where realistically there is the option to institute a
> > policy
> > preventing registration of homographic characters right from
> > the start,
> > do
> > you think this is a policy worth having?
> >
> > It seems that there are two options for such a policy:
> >
> > 1) Restricting the UCS character ranges that are allowed in
> > registrated
> > strings (as recommended near the end of
> > http://www.icann.org/committees/idn/idn-codepoint-paper.htm), or
> >
> > 2) Not allowing the registration of "cross-script" strings whose UCS
> > character ranges cross script boundaries (or at least
> requiring human
> > review
> > of such registrations).
> >
> > The latter option seems that it might be a much more elegant way of
> > eliminating much of the problem without the much harder analysis
> > required to
> > identify all potentially problematic UCS code points.
> >
> > Do you agree?
> >
> > =Drummond
> >
> > -----Original Message-----
> > From: Sakimura, Nat [mailto:n-sakimura@nri.co.jp]
> > Sent: Monday, February 21, 2005 9:47 PM
> > To: Drummond Reed; Dave McAlpin; xri@lists.oasis-open.org
> > Cc: Adam C. Engst; glenn@glennf.com
> > Subject: RE: [xri] Homographic attacks
> >
> > Hi.
> >
> > I have written about this type of attack on my blog a while ago.
> > Unfortunately, it is in Japanese :-)
> >
> > Now, my question is, do you really want to go into this
> > policing policy?
> >
> > I do not. Not at least in the spec. This is a problem which
> should be
> > coped by another way.
> > Remeber: Not only it is difficult to list all look alikes, a
> > code point
> > in a different language-font
> > set looks completely different.
> >
> > IMHO, this kind of spoofing attack is just revelaing that the
> > conventional Verisign type of
> > certificate is certifying nothing but the certificate holder
> > exists, and
> > the certificate holder
> > is the regitimate owner of that domain. Nothing less, nothing more.
> >
> > To mitigate the current Phishing problem, we need something else: a
> > service that certifies
> > this site realy is the site owned by Bank A that you are
> dealing with.
> > Actually, I am in the
> > process of creating such service.
> >
> >
> > > -----Original Message-----
> > > From: Drummond Reed [mailto:drummond.reed@cordance.net]
> > > Sent: Tuesday, February 22, 2005 11:16 AM
> > > To: 'Dave McAlpin'; xri@lists.oasis-open.org
> > > Cc: 'Adam C. Engst'; glenn@glennf.com
> > > Subject: RE: [xri] Homographic attacks
> > >
> > > Dave, here's some revised text for the Security and Data
> > > Protection section
> > > 3.5 (Spoofing) that adds more info about the type of attacks
> > > Glenn was writing about. Feel free to edit and fold this into
> > > your the O5 draft.
> > >
> > > =Drummond
> > >
> > > ***START PROPOSED TEXT***
> > >
> > > One particularly important security consideration is
> > > spoofing, covered both in [URI] and thoroughly in [IRI]
> > > Section 7.5, but deserving of repetition here. Spoofing is a
> > > semantic attack in which an XRI is deliberately constructed
> > > to deceive the user into believing it represents one resource
> > > when it fact it represents another. A common example is using
> > > mixing script forms of multiple languages to create
> > > homographic characters (characters that look alike, even to
> > > the trained eye). A common example is the Latin "A", the
> > > Greek "Alpha", and the Cyrillic "A".
> > >
> > > Spoofing has been used extensively in email "phishing"
> > > attacks. As more browsers add support for Internationalized
> > > Domain Names (IDN), it is also starting to be used in online
> > > web links ("pharming"), where not only are some users less
> > > suspicious of fraudelent Web addresses, but the attacker may
> > > even register a corresponding SSL/TLS certificate to make the
> > > fradulent site look completely secure.
> > >
> > > To help prevent this problem, XRI registries SHOULD institute
> > > policies preventing the registration of deceptive or
> > > homographic XRIs, and user agents that process XRIs SHOULD
> > > incorporate safeguards such as warning users when XRIs
> > > contain common homographic characters.
> > >
> > > ***END***
> > >
> > > -----Original Message-----
> > > From: Dave McAlpin [mailto:Dave.McAlpin@epok.net]
> > > Sent: Monday, February 21, 2005 5:08 PM
> > > To: Drummond Reed; xri@lists.oasis-open.org
> > > Cc: Adam C. Engst; glenn@glennf.com
> > > Subject: RE: [xri] Homographic attacks
> > >
> > > This is already covered to some degree in section 3.5 of
> > > Syntax. Can you take a look at that section and see
> what's missing?
> > >
> > > -----Original Message-----
> > > From: Drummond Reed [mailto:drummond.reed@cordance.net]
> > > Sent: Monday, February 21, 2005 5:05 PM
> > > To: xri@lists.oasis-open.org
> > > Cc: 'Adam C. Engst'; glenn@glennf.com
> > > Subject: [xri] Homographic attacks
> > >
> > > Peter et al:
> > >
> > > As phishing continues on the rise, there is an excellent
> > > series of articles in TidBITs by Glenn Fleishman about
> > > "homograph" attacks where the attacker registers an
> > > international domain name that is - even to the trained eye
> > > -
> > > undistinguishable from the real thing due to the fact that it
> > > uses Unicode characters that are appear extremely similar to
> > > ASCII characters.
> > >
> > > It's become serious enough that they are warning Firefox
> > > users to disable IDN until Firefox comes up with a fix.
> > >
> > > I'm copying Adam and Glenn so they know that this is
> > > something the XRI TC is interested in helping prevent with
> > > XRIs. (Adam, Glenn, if you want to reply with more info, you
> > > can reply back to me and I'll forward to the list.)
> > >
> > > Peter, I think we should mention this in the Security
> > > Considerations section of XRI Syntax.
> > >
> > > =Drummond
> > >
>
>
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]