[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Homographic attacks
Yes, I'd agree, if that's the current consensus among Those Who Think About This. I'd just be sure to say that its unlikely that is the *only* thing you should do. -Gabe > -----Original Message----- > From: Drummond Reed [mailto:drummond.reed@cordance.net] > Sent: Tuesday, February 22, 2005 4:40 PM > To: Wachob, Gabe; 'Dave McAlpin'; 'Sakimura, Nat'; > xri@lists.oasis-open.org; gss-comment@lists.xdi.org > Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis' > Subject: RE: [xri] Homographic attacks > > Gabe, > > I agree with you wrt what the XRI specs can/should do. But it > seems to me > that at a minimum an XRI registry can/should safely adopt the > policy Dave > points out in Section 7.5 of RFC 3987 (IRI) about only allowing > registrations in one script (except Japanese - Nat, care to > elaborate on > that one for us?) > > Do you agree? > > =Drummond > > -----Original Message----- > From: Wachob, Gabe [mailto:gwachob@visa.com] > Sent: Tuesday, February 22, 2005 4:29 PM > To: Dave McAlpin; Drummond Reed; Sakimura, Nat; > xri@lists.oasis-open.org; > gss-comment@lists.xdi.org > Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis > Subject: RE: [xri] Homographic attacks > > I expect that there will be a IRI-level discussion of this > and we should > (when it happens) be able to refer folks there. I don't think we can > realistically do more than point out the issue in our security section > and expect people to use whatever best practices and guidelines are > developed for IRIs in general. > > In short, this is not a problem we can address at the XRI > level, and I'm > not even sure its something that XRI registries should attempt to > address until there's more discussion about this in the i18n and URI > communities. This is something that will be addressed by best > practices > and maybe some rules about unicode character mapping (as someone > mentioned) - I don't think there's any XRI-specific issues. > > -Gabe > > > -----Original Message----- > > From: Dave McAlpin [mailto:Dave.McAlpin@epok.net] > > Sent: Tuesday, February 22, 2005 4:22 PM > > To: Drummond Reed; Sakimura, Nat; xri@lists.oasis-open.org; > > gss-comment@lists.xdi.org > > Cc: Adam C. Engst; glenn@glennf.com; Peter C Davis > > Subject: RE: [xri] Homographic attacks > > > > Section 7.5 of RFC 3987 (IRI) also offers helpful guidance. > > It suggests, > > for example, that components of an identifier should be made up of > > characters from a single script (with an exception for Japanese) > > because, "As long as names are limited to characters from a single > > script, native writers of a given script or language will > > know best when > > ambiguities can appear, and how they can be avoided. What may look > > ambiguous to a stranger may be completely obvious to the > > average native > > user." > > > > This doesn't fix tricks like "br0ken" and "1ame", but it does avoid > > international characters that look extremely similar to the reader's > > native script. > > > > Dave > > > > -----Original Message----- > > From: Drummond Reed [mailto:drummond.reed@cordance.net] > > Sent: Tuesday, February 22, 2005 4:09 PM > > To: 'Sakimura, Nat'; xri@lists.oasis-open.org; > > gss-comment@lists.xdi.org > > Cc: 'Adam C. Engst'; glenn@glennf.com; 'Peter C Davis' > > Subject: RE: [xri] Homographic attacks > > > > Nat, > > > > Very good points. I agree with you that we cannot and should > > not try to > > control this from the XRI specification standpoint - our > job there is > > simply > > to warn about the security problem and we're doing that. > > > > I also agree with your ultimate solution - we need it ASAP! > > > > My question is, from the perspective of registry services like those > > XDI.ORG > > is planning, where realistically there is the option to institute a > > policy > > preventing registration of homographic characters right from > > the start, > > do > > you think this is a policy worth having? > > > > It seems that there are two options for such a policy: > > > > 1) Restricting the UCS character ranges that are allowed in > > registrated > > strings (as recommended near the end of > > http://www.icann.org/committees/idn/idn-codepoint-paper.htm), or > > > > 2) Not allowing the registration of "cross-script" strings whose UCS > > character ranges cross script boundaries (or at least > requiring human > > review > > of such registrations). > > > > The latter option seems that it might be a much more elegant way of > > eliminating much of the problem without the much harder analysis > > required to > > identify all potentially problematic UCS code points. > > > > Do you agree? > > > > =Drummond > > > > -----Original Message----- > > From: Sakimura, Nat [mailto:n-sakimura@nri.co.jp] > > Sent: Monday, February 21, 2005 9:47 PM > > To: Drummond Reed; Dave McAlpin; xri@lists.oasis-open.org > > Cc: Adam C. Engst; glenn@glennf.com > > Subject: RE: [xri] Homographic attacks > > > > Hi. > > > > I have written about this type of attack on my blog a while ago. > > Unfortunately, it is in Japanese :-) > > > > Now, my question is, do you really want to go into this > > policing policy? > > > > I do not. Not at least in the spec. This is a problem which > should be > > coped by another way. > > Remeber: Not only it is difficult to list all look alikes, a > > code point > > in a different language-font > > set looks completely different. > > > > IMHO, this kind of spoofing attack is just revelaing that the > > conventional Verisign type of > > certificate is certifying nothing but the certificate holder > > exists, and > > the certificate holder > > is the regitimate owner of that domain. Nothing less, nothing more. > > > > To mitigate the current Phishing problem, we need something else: a > > service that certifies > > this site realy is the site owned by Bank A that you are > dealing with. > > Actually, I am in the > > process of creating such service. > > > > > > > -----Original Message----- > > > From: Drummond Reed [mailto:drummond.reed@cordance.net] > > > Sent: Tuesday, February 22, 2005 11:16 AM > > > To: 'Dave McAlpin'; xri@lists.oasis-open.org > > > Cc: 'Adam C. Engst'; glenn@glennf.com > > > Subject: RE: [xri] Homographic attacks > > > > > > Dave, here's some revised text for the Security and Data > > > Protection section > > > 3.5 (Spoofing) that adds more info about the type of attacks > > > Glenn was writing about. Feel free to edit and fold this into > > > your the O5 draft. > > > > > > =Drummond > > > > > > ***START PROPOSED TEXT*** > > > > > > One particularly important security consideration is > > > spoofing, covered both in [URI] and thoroughly in [IRI] > > > Section 7.5, but deserving of repetition here. Spoofing is a > > > semantic attack in which an XRI is deliberately constructed > > > to deceive the user into believing it represents one resource > > > when it fact it represents another. A common example is using > > > mixing script forms of multiple languages to create > > > homographic characters (characters that look alike, even to > > > the trained eye). A common example is the Latin "A", the > > > Greek "Alpha", and the Cyrillic "A". > > > > > > Spoofing has been used extensively in email "phishing" > > > attacks. As more browsers add support for Internationalized > > > Domain Names (IDN), it is also starting to be used in online > > > web links ("pharming"), where not only are some users less > > > suspicious of fraudelent Web addresses, but the attacker may > > > even register a corresponding SSL/TLS certificate to make the > > > fradulent site look completely secure. > > > > > > To help prevent this problem, XRI registries SHOULD institute > > > policies preventing the registration of deceptive or > > > homographic XRIs, and user agents that process XRIs SHOULD > > > incorporate safeguards such as warning users when XRIs > > > contain common homographic characters. > > > > > > ***END*** > > > > > > -----Original Message----- > > > From: Dave McAlpin [mailto:Dave.McAlpin@epok.net] > > > Sent: Monday, February 21, 2005 5:08 PM > > > To: Drummond Reed; xri@lists.oasis-open.org > > > Cc: Adam C. Engst; glenn@glennf.com > > > Subject: RE: [xri] Homographic attacks > > > > > > This is already covered to some degree in section 3.5 of > > > Syntax. Can you take a look at that section and see > what's missing? > > > > > > -----Original Message----- > > > From: Drummond Reed [mailto:drummond.reed@cordance.net] > > > Sent: Monday, February 21, 2005 5:05 PM > > > To: xri@lists.oasis-open.org > > > Cc: 'Adam C. Engst'; glenn@glennf.com > > > Subject: [xri] Homographic attacks > > > > > > Peter et al: > > > > > > As phishing continues on the rise, there is an excellent > > > series of articles in TidBITs by Glenn Fleishman about > > > "homograph" attacks where the attacker registers an > > > international domain name that is - even to the trained eye > > > - > > > undistinguishable from the real thing due to the fact that it > > > uses Unicode characters that are appear extremely similar to > > > ASCII characters. > > > > > > It's become serious enough that they are warning Firefox > > > users to disable IDN until Firefox comes up with a fix. > > > > > > I'm copying Adam and Glenn so they know that this is > > > something the XRI TC is interested in helping prevent with > > > XRIs. (Adam, Glenn, if you want to reply with more info, you > > > can reply back to me and I'll forward to the list.) > > > > > > Peter, I think we should mention this in the Security > > > Considerations section of XRI Syntax. > > > > > > =Drummond > > > > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]