Re: [xri] GCS Spoofing

[William Tan <wil@dready.org>]

Hi Chetan and Nat,

The IRI specification does not really address the issue, but points to 
the URI layer for security considerations. IDNs could appear in the 
ireg-name part of an IRI, which does not restrict the character set any 
further than what is allowed in IDNA.

The IDNA specifications has taken precautionary steps to avoid the 
period character being spoofed by requiring implementations fold the 
period-like characters to U+002D. However, IDNA does not preclude other 
IRI/URI syntax character homographs from being used. Therefore, the 
slash homograph problem was a difficult one because it poses a serious 
threat and yet was not prohibited at the specification level. Browser 
vendors (at least Opera) made the decision to prohibit the code point 
entirely.

Here are some of the possible courses of actions that we could take:

1. Someone Else's Problem - keep the syntax specifications simple and 
clean, and leave it to client applications to map the characters and 
detect spoofing attempts.

2. Similar to the above but make detailed recommendations in the 
specification, with specific guidelines on how clients can deal with the 
issues.

3. Change the "iunreserved" range of the syntax specs to remove the GCS 
character homographs. What implications does this have? An alternative 
might be to change the "rgcs-char" production to include the homographs 
and require that the application perform an additional step to map the 
homographs to the base GCS character?

We need to keep in mind that doing #3 means that we are preventing an 
otherwise legal IRI from being properly converted from XRI to IRI, 
because the homograph would be %-encoded in XRI-normal form, with the 
'%' further encoded when transforming to IRI.


wil.


Sakimura, Nat wrote:
> Actually, when it comes to internationalized characters, there are whole
> bunch of possibility on Visual-Look-Alike base spoofing. Forcing NFKC
> normalization would ease the problem a bit, but far from completely.
> IMHO, it has to be dealt with trust and reputation mechanism being
> coupled with client side support for the user so that user can view the
> trust level easily. 
>
> Nat 
>
>   
>> -----Original Message-----
>> From: Chetan Sabnis [mailto:chetan.sabnis@epok.net] 
>> Sent: Friday, September 16, 2005 11:30 PM
>> Cc: xri@lists.oasis-open.org
>> Subject: Re: [xri] GCS Spoofing
>>
>>
>> Great find.  I think the TC needs to address this in order 
>> for XRIs to be used as links in an email, as URIs would be 
>> used in an email today.  
>> The authority accessed by the resource needs to be be 
>> well-understood based on looking at the XRI if XRIs are 
>> indeed intended for human viewing.  I think this is not a 
>> GCS-only issue.  It certainly seems like the potential is 
>> there to spoof authorities in private cross-reference domains as well.
>>
>> Forgive my ignorance, but does the IRI spec address this?  It 
>> seems like there might be some guidance there.
>>
>> Chetan
>>
>> William Tan wrote:
>>
>>     
>>> The ABNF for XRI accommodates two types of authority: XRI authority 
>>> and IRI authority.
>>> An XRI authority must begin with a GCS character: "!", "=", 
>>>       
>> "@", "+" 
>>     
>>> or "$". However, if the XRI reference begins with a 
>>>       
>> character that is 
>>     
>>> visually indistinguishable from one of the GCS characters, and the 
>>> code point is allowed in the the "iunreserved" production, 
>>>       
>> a machine 
>>     
>>> processor would treat it as an IRI authority. This may be a 
>>>       
>> cause for 
>>     
>>> concern since it opens the door for spoofing. For example, 
>>>       
>> an actual 
>>     
>>> XRI may be: xri://@paypal*services/send-money
>>>
>>> and it could be spoofed (although not exactly) by using:
>>>
>>> xri://@paypal*services/send-money/sub.bad-domain.com/trustme.html
>>>
>>> And the "@" sign above is U+FE6B (small commercial at), "*" 
>>>       
>> is U+FE61 
>>     
>>> (small asterisk), and the 4th and 5th "/" are U+2215 
>>>       
>> (division slash).
>>     
>>> In effect, the XRI would be interpreted as having an IRI 
>>>       
>> authority (an
>>     
>>> IDN) of: "@paypal*services/send-money/sub.bad-domain.com". This is 
>>> possible largely because IDNA allows the slash-like character in an 
>>> IDN label, giving rise to the possibility of syntax spoofing. And 
>>> because sub domains appear to right of their parent domains, the 
>>> malicious domain can be created as a third (or higher) level sub 
>>> domain so that it is outside of the registry's control.
>>>
>>> This is merely a subclass of syntax spoofing homograph 
>>>       
>> attacks on IDN 
>>     
>>> which applies to XRIs.
>>>
>>> I'm not sure where is the best place to address it, or if it would 
>>> even be deemed a problem that the XRI TC would want to solve. If we 
>>> do, there are at least ways to go about fixing it, at the 
>>>       
>> syntax level 
>>     
>>> (i.e. by mapping or limiting the use of GCS characters) or as a 
>>> recommendation for XRI clients to disallow or warn the user of 
>>> GCS-like characters appearing at the beginning of an XRI reference.
>>>
>>> wil.
>>>
>>>
>>>       
>> ---------------------------------------------------------------------
>>     
>>> To unsubscribe from this mail list, you must leave the 
>>>       
>> OASIS TC that 
>>     
>>> generates this mail.  You may a link to this group and all 
>>>       
>> your TCs in 
>>     
>>> OASIS
>>> at:
>>>
>>>       
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS 
>> TC that generates this mail.  You may a link to this group 
>> and all your TCs in OASIS
>> at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgr
>> oups.php 
>>
>>
>>     
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php 
>
>
>