OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xri] Homographic attacks


Section 7.5 of RFC 3987 (IRI) also offers helpful guidance. It suggests,
for example, that components of an identifier should be made up of
characters from a single script (with an exception for Japanese)
because, "As long as names are limited to characters from a single
script, native writers of a given script or language will know best when
ambiguities can appear, and how they can be avoided.  What may look
ambiguous to a stranger may be completely obvious to the average native
user."

This doesn't fix tricks like "br0ken" and "1ame", but it does avoid
international characters that look extremely similar to the reader's
native script.

Dave

-----Original Message-----
From: Drummond Reed [mailto:drummond.reed@cordance.net] 
Sent: Tuesday, February 22, 2005 4:09 PM
To: 'Sakimura, Nat'; xri@lists.oasis-open.org; gss-comment@lists.xdi.org
Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis'
Subject: RE: [xri] Homographic attacks

Nat,

Very good points. I agree with you that we cannot and should not try to
control this from the XRI specification standpoint - our job there is
simply
to warn about the security problem and we're doing that.

I also agree with your ultimate solution - we need it ASAP!

My question is, from the perspective of registry services like those
XDI.ORG
is planning, where realistically there is the option to institute a
policy
preventing registration of homographic characters right from the start,
do
you think this is a policy worth having?

It seems that there are two options for such a policy:

1) Restricting the UCS character ranges that are allowed in registrated
strings (as recommended near the end of
http://www.icann.org/committees/idn/idn-codepoint-paper.htm), or

2) Not allowing the registration of "cross-script" strings whose UCS
character ranges cross script boundaries (or at least requiring human
review
of such registrations).

The latter option seems that it might be a much more elegant way of
eliminating much of the problem without the much harder analysis
required to
identify all potentially problematic UCS code points.

Do you agree?

=Drummond 

-----Original Message-----
From: Sakimura, Nat [mailto:n-sakimura@nri.co.jp] 
Sent: Monday, February 21, 2005 9:47 PM
To: Drummond Reed; Dave McAlpin; xri@lists.oasis-open.org
Cc: Adam C. Engst; glenn@glennf.com
Subject: RE: [xri] Homographic attacks

Hi. 

I have written about this type of attack on my blog a while ago.
Unfortunately, it is in Japanese :-)

Now, my question is, do you really want to go into this policing policy?

I do not. Not at least in the spec. This is a problem which should be
coped by another way. 
Remeber: Not only it is difficult to list all look alikes, a code point
in a different language-font 
set looks completely different. 

IMHO, this kind of spoofing attack is just revelaing that the
conventional Verisign type of 
certificate is certifying nothing but the certificate holder exists, and
the certificate holder 
is the regitimate owner of that domain. Nothing less, nothing more. 

To mitigate the current Phishing problem, we need something else: a
service that certifies 
this site realy is the site owned by Bank A that you are dealing with.
Actually, I am in the 
process of creating such service. 
 

> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net] 
> Sent: Tuesday, February 22, 2005 11:16 AM
> To: 'Dave McAlpin'; xri@lists.oasis-open.org
> Cc: 'Adam C. Engst'; glenn@glennf.com
> Subject: RE: [xri] Homographic attacks
> 
> Dave, here's some revised text for the Security and Data 
> Protection section
> 3.5 (Spoofing) that adds more info about the type of attacks 
> Glenn was writing about. Feel free to edit and fold this into 
> your the O5 draft.
> 
> =Drummond 
> 
> ***START PROPOSED TEXT***
> 
> One particularly important security consideration is 
> spoofing, covered both in [URI] and thoroughly in [IRI] 
> Section 7.5, but deserving of repetition here. Spoofing is a 
> semantic attack in which an XRI is deliberately constructed 
> to deceive the user into believing it represents one resource 
> when it fact it represents another. A common example is using 
> mixing script forms of multiple languages to create 
> homographic characters (characters that look alike, even to 
> the trained eye). A common example is the Latin "A", the 
> Greek "Alpha", and the Cyrillic "A".
> 
> Spoofing has been used extensively in email "phishing" 
> attacks. As more browsers add support for Internationalized 
> Domain Names (IDN), it is also starting to be used in online 
> web links ("pharming"), where not only are some users less 
> suspicious of fraudelent Web addresses, but the attacker may 
> even register a corresponding SSL/TLS certificate to make the 
> fradulent site look completely secure.
> 
> To help prevent this problem, XRI registries SHOULD institute 
> policies preventing the registration of deceptive or 
> homographic XRIs, and user agents that process XRIs SHOULD 
> incorporate safeguards such as warning users when XRIs 
> contain common homographic characters.
> 
> ***END***
> 
> -----Original Message-----
> From: Dave McAlpin [mailto:Dave.McAlpin@epok.net]
> Sent: Monday, February 21, 2005 5:08 PM
> To: Drummond Reed; xri@lists.oasis-open.org
> Cc: Adam C. Engst; glenn@glennf.com
> Subject: RE: [xri] Homographic attacks
> 
> This is already covered to some degree in section 3.5 of 
> Syntax. Can you take a look at that section and see what's missing?
> 
> -----Original Message-----
> From: Drummond Reed [mailto:drummond.reed@cordance.net]
> Sent: Monday, February 21, 2005 5:05 PM
> To: xri@lists.oasis-open.org
> Cc: 'Adam C. Engst'; glenn@glennf.com
> Subject: [xri] Homographic attacks
> 
> Peter et al:
> 
> As phishing continues on the rise, there is an excellent 
> series of articles in TidBITs by Glenn Fleishman about 
> "homograph" attacks where the attacker registers an 
> international domain name that is - even to the trained eye
> -
> undistinguishable from the real thing due to the fact that it 
> uses Unicode characters that are appear extremely similar to 
> ASCII characters.
> 
> It's become serious enough that they are warning Firefox 
> users to disable IDN until Firefox comes up with a fix.
> 
> I'm copying Adam and Glenn so they know that this is 
> something the XRI TC is interested in helping prevent with 
> XRIs. (Adam, Glenn, if you want to reply with more info, you 
> can reply back to me and I'll forward to the list.)
> 
> Peter, I think we should mention this in the Security 
> Considerations section of XRI Syntax.
> 
> =Drummond 
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/xri/members/leave
> _workgroup
> .php.
> 
> 
> -- 
> 
> Checked by AVG Anti-Virus.
> Version: 7.0.305 / Virus Database: 266.1.0 - Release Date: 2/18/2005
>  
> 
> 
> 
> To unsubscribe from this mailing list (and be removed from 
> the roster of the OASIS TC), go to 
> http://www.oasis-open.org/apps/org/workgroup/xri/members/leave
> _workgroup.php.
> 
> 



To unsubscribe from this mailing list (and be removed from the roster of
the OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xri/members/leave_workgroup
.php.


-- 

Checked by AVG Anti-Virus.
Version: 7.0.305 / Virus Database: 266.4.0 - Release Date: 2/22/2005
 


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]