February 2005
AUSCERT ALERT - AL-2005.003 - Multiple web browser homographic address spoofing vulnerability
ID: 00109
Ref: 94/2005
Date: 08 February 2005:14:59:04
Version: 1
Title: AUSCERT ALERT - AL-2005.003 - Multiple web browser homographic address spoofing vulnerability
Abstract:
Vendors affected: AusCERT
Operating systems affected: AusCERT
Applications affected: AusCERT
Title
=====
AUSCERT ALERT - AL-2005.003 - Multiple web browser homographic address
spoofing vulnerability
Detail
======
International Domain Names (IDN) [1] allow the inclusion of extended character sets in a web address. A malicious user may register a fraudulent domain name similar to a legitimate name but substituting
similar international characters in place of others. This fraudulent
domain may look highly convincing to a web browser user.
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AL-2005.003 -- AUSCERT ALERT
Multiple web browser homographic address spoofing vulnerability
8 February 2005
===========================================================================
AusCERT Alert Summary
---------------------
Product: Camino
Internet Explorer (with plugins)
Mozilla
Mozilla Firefox
Opera
Safari
Operating System: Windows
Linux variants
UNIX variants
Mac OS X
Impact: Provide Misleading Information
Access: Remote/Unauthenticated
- - --------------------------BEGIN INCLUDED TEXT--------------------
SUMMARY:
International Domain Names (IDN) [1] allow the inclusion of extended
character sets in a web address. A malicious user may register a
fraudulent domain name similar to a legitimate name but substituting
similar international characters in place of others. This fraudulent
domain may look highly convincing to a web browser user.
A proof of concept [2] has been released by The Shmoo Group to
demonstrate this vulnerability along with their advisory [3].
IMPACT:
The credibility of fraudulent web sites would be significantly enhanced
by the use of a similar-looking (homographic) domain name using
international characters.
The proof of concept developed for this vulnerability shows that an SSL
certificate can also be employed to increase the credibility of the
fraudulent website. Since the attacker has full control of the domain,
an SSL certificate registered may also be signed by a certifying
authority trusted by the user's web browser.
All browsers with IDN support are exploitable using this method. The
vulnerability does not lie with these browsers themselves, but rather
is a side effect of international characters resembling standard
English language characters.
MITIGATION:
Exposure and mitigations for popular web browsers are listed below:
Internet Explorer:
does not support IDN by default. IDN support is available via
Internet Explorer plugins such as those listed by Microsoft [4].
Mozilla and Mozilla Firefox:
IDN can be disabled by typing 'about:config' into the address bar,
and setting the value 'network.enableIDN' to false.
Opera:
according to The Shmoo Group, Opera have stated that "They
believe they have correctly implemented IDN, and will not be
making any changes."
Safari: no vendor comment to date.
For all browsers, it is advisable to not click on any links provided
in email messages. If a user wishes to follow a link in an email it
is best to type the address into the web browser by hand.
REFERENCES:
[1] http://www.w3.org/International/articles/idn-and-iri/
[2] http://www.shmoo.com/idn/
[3] http://www.shmoo.com/idn/homograph.txt
[4] http://support.microsoft.com/?kbid=842848
- - --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQghhyih9+71yA2DNAQI/aAQAg0IExhVhOGXJN4OQhGTBS8GbBe6xM4BO
eUM6Z1BM0dzLKLd+aNyjecBV8ruHewW9ok9eNbYx0ijhzLieodqfBhIG1oSimK1U
BnB6HP8Gl4tyQBuVQm++8sEV8xVJac7+U9TCMkic0fJCEhw1ti+E03T26If2RZ8k
c4P7F+hm8XU=
=y2Ja
- -----END PGP SIGNATURE-----