RE: [xri] Homographic attacks

["Sakimura, Nat" <n-sakimura@nri.co.jp>]

Hi. 

I have written about this type of attack on my blog a while ago.
Unfortunately, it is in Japanese :-)

Now, my question is, do you really want to go into this policing policy?

I do not. Not at least in the spec. This is a problem which should be
coped by another way. 
Remeber: Not only it is difficult to list all look alikes, a code point
in a different language-font 
set looks completely different. 

IMHO, this kind of spoofing attack is just revelaing that the
conventional Verisign type of 
certificate is certifying nothing but the certificate holder exists, and
the certificate holder 
is the regitimate owner of that domain. Nothing less, nothing more. 

To mitigate the current Phishing problem, we need something else: a
service that certifies 
this site realy is the site owned by Bank A that you are dealing with.
Actually, I am in the 
process of creating such service. 
 

> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net] 
> Sent: Tuesday, February 22, 2005 11:16 AM
> To: 'Dave McAlpin'; xri@lists.oasis-open.org
> Cc: 'Adam C. Engst'; glenn@glennf.com
> Subject: RE: [xri] Homographic attacks
> 
> Dave, here's some revised text for the Security and Data 
> Protection section
> 3.5 (Spoofing) that adds more info about the type of attacks 
> Glenn was writing about. Feel free to edit and fold this into 
> your the O5 draft.
> 
> =Drummond 
> 
> ***START PROPOSED TEXT***
> 
> One particularly important security consideration is 
> spoofing, covered both in [URI] and thoroughly in [IRI] 
> Section 7.5, but deserving of repetition here. Spoofing is a 
> semantic attack in which an XRI is deliberately constructed 
> to deceive the user into believing it represents one resource 
> when it fact it represents another. A common example is using 
> mixing script forms of multiple languages to create 
> homographic characters (characters that look alike, even to 
> the trained eye). A common example is the Latin "A", the 
> Greek "Alpha", and the Cyrillic "A".
> 
> Spoofing has been used extensively in email "phishing" 
> attacks. As more browsers add support for Internationalized 
> Domain Names (IDN), it is also starting to be used in online 
> web links ("pharming"), where not only are some users less 
> suspicious of fraudelent Web addresses, but the attacker may 
> even register a corresponding SSL/TLS certificate to make the 
> fradulent site look completely secure.
> 
> To help prevent this problem, XRI registries SHOULD institute 
> policies preventing the registration of deceptive or 
> homographic XRIs, and user agents that process XRIs SHOULD 
> incorporate safeguards such as warning users when XRIs 
> contain common homographic characters.
> 
> ***END***
> 
> -----Original Message-----
> From: Dave McAlpin [mailto:Dave.McAlpin@epok.net]
> Sent: Monday, February 21, 2005 5:08 PM
> To: Drummond Reed; xri@lists.oasis-open.org
> Cc: Adam C. Engst; glenn@glennf.com
> Subject: RE: [xri] Homographic attacks
> 
> This is already covered to some degree in section 3.5 of 
> Syntax. Can you take a look at that section and see what's missing?
> 
> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net]
> Sent: Monday, February 21, 2005 5:05 PM
> To: xri@lists.oasis-open.org
> Cc: 'Adam C. Engst'; glenn@glennf.com
> Subject: [xri] Homographic attacks
> 
> Peter et al:
> 
> As phishing continues on the rise, there is an excellent 
> series of articles in TidBITs by Glenn Fleishman about 
> "homograph" attacks where the attacker registers an 
> international domain name that is - even to the trained eye
> -
> undistinguishable from the real thing due to the fact that it 
> uses Unicode characters that are appear extremely similar to 
> ASCII characters.
> 
> It's become serious enough that they are warning Firefox 
> users to disable IDN until Firefox comes up with a fix.
> 
> I'm copying Adam and Glenn so they know that this is 
> something the XRI TC is interested in helping prevent with 
> XRIs. (Adam, Glenn, if you want to reply with more info, you 
> can reply back to me and I'll forward to the list.)
> 
> Peter, I think we should mention this in the Security 
> Considerations section of XRI Syntax.
> 
> =Drummond 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/xri/members/leave
> _workgroup
> .php.
> 
> 
> -- 
> 
> Checked by AVG Anti-Virus.
> Version: 7.0.305 / Virus Database: 266.1.0 - Release Date: 2/18/2005
>  
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/xri/members/leave
> _workgroup.php.
> 
>