Sorting it all Out : Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:10 AM Michael S. Kaplan

Almost no one on the Unicode List seems to "get" phishing

The Unicode List is up to its old fun and games again (well, actually its the participants, not the list itself), and this time it is not about the Unicode BOM.

I talked a little about this problem when I was saying International Domain Names? The sign on the door says 'Gone Phishing'....

Then some people started really getting into it because a bunch of hackers "found" a homograph spoofing issue. They even registered an evil URL (www.pаypal.com -- the first "a" is U+0430, a CYRILLIC SMALL LETTER A) which in browsers that support the new IDN/punycode stuff becomes www.xn--pypal-4ve.com.

Then those folks at the Unicode List weighed in (in a thread with 116 posts the last time I looked)....

The "solution" that many people have touted involves a list of common cross-script items that might be expected (like Kana and Kanji). And then to show the actual punycode names, since that way people could tell they were being spoofed.

Anyone else see the flaw here?

The feature is for international domain names. If it were just ASCII then a confusing string would indeed warn users that bad things were going to happen. But if we were all using ASCII we wouldn't need IDN in the first place, now would we?

Doesn't it make the whole feature suck just a little bit for its target users if they are left seeing eird crap every time they go to a site that uses their native language for the URL?

I almost weighed into the thread to point out the obvious problems in approach but I did not want to add to the noise (and most likely be drowned out by the people who point out that there is no way to make it secure and how IDN will bring down the internet). So I did not become post #117.

Oops, a few more while I was typing this, mine would have been #120. Sometimes in this post-Kitty Genovese era in which we all live, it is better to not get involved....

This post brought to you by "а" (U+0430, a.k.a. CYRILLIC SMALL LETTER A)
A letter that is feeling quite popular these days and which would like to point out that this site is not ВӀоgs.Мsdn.соm/miсhкар no matter what the URL looks like...

Filed under: Potpourri, Unicode/standards

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:25 AM by matt

I have absolutely no desire to receive email from or do business with anyone outside of the US. Give me the ability to filter out anything that does not originate from a specific country or region and I'll be happy. This includes 3rd party web sites and visitors/traffic to my web site.

The average person simply does not need to be able to receive email from someone in Russia or Venezuela. By filtering everyting that does not originate in the US, you greatly reduce your attack surface.

Give me a RELIABLE way to do this and the whole IDN thing becomes a non-issue.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:28 AM by Michael Kaplan

Well, that is great for you. But how about the rest of the world?

"We are not alone anymore" (and I do not mean that in an X-Files sense!)

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:31 AM by Kristoffer Henriksson

That fixes nothing Matt; the fake paypal address could just as easily have been sent from inside the US.

All this shows is that IDN is poorly thought out and you need to turn off support for it in your browser for the foreseeable future.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:55 AM by Frank Richter

Hm, AFAIK the entered IDN is normalized before converted to Punycode (e.g. ß becomes ss)... couldn't mappings be added that map identically looking characters to the same code point (e.g. the small cyrillic a would get mapped to the plain old ASCII small a), for anti-phishing purposes?

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:57 AM by CN

I think we have two problems here:

a) "Cross-scripting", when individual letters/symbols are replaced by their homographs in another script to fit in. The current paypal address is an example of that.

b) When the complete domain name is represented in another script, while maintaining homography.

Something like the cross item list you mention could solve a -- limit which character groups may appear in one domain. www.<strangestuff>.com should be allowed, while www.pa<strangestuff>pal.com should not.

This would alleviate the problem a little. It does certainly not solve it, because of b and also because of
c) íìïîı, or for example â in languages where you're used to seeing å (and have a shitty non-ClearType, low resolution, small size display and simply don't look closely)

I don't see any easy ways out of this. One could speculate about a highligthing in the browser, in addition to the site security, of whether the site is in the browsing history. Hopefully, you're more careful if you log in for the first time and create your account or are setting up a new machine, while a phishing attack trying to get you to key in your account info would give a somehow distinctly different "experience" to the user.

After all, highlighting of that a site that has already been visited has been around for ages for LINKS to said sites, adding it prominently in the browser UI could improve things.

Just some stray thoughts, I know this is far from both the Unicode list and your field of direct interest.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 10:29 AM by Igor Tandetnik

"e.g. the small cyrillic a would get mapped to the plain old ASCII small a), for anti-phishing purposes?"

That would mean that I can't go and register река.com (река (pronounced re-'kah) means river in Russian) since peka.com (with all Latin characters) is already taken. That would create inconvenience for anybody trying to register an IDN, and also open up new possibilities for squatting (what if I register my IDN first, before you get the chance to register all-Latin domain name?)

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 10:45 AM by Igor Tandetnik

For a concrete example of point b, "paypal" can more or less convincingly be represented as "раура1" - that's five Cyrillic letters and a digit 'one'. With some fonts, you'll have a hard time telling the difference.

Here is the list of Cyrillic letters that look similar to some Latin ones - have fun finding sites that could be spoofed:
а е з к о р с у х
In addition to these (that look similar in both upper- and lowercase), a few letters only look right when capitalized:
В М Н Т Ь
Well, the last one is a bit of a stretch.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 12:01 PM by forgive me

I am a somewhat of a linguist but know nothing about character sets, Unicode etc, beyond the fact it exists.

That said, there is next to no reason for having different language character sets in the same URL.

Warning when you had mixed alphabets on the Firefox/Internet Explorer gold bar, and also prompting I guess, would solve 99.9% of the problem.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 12:06 PM by Michael Kaplan

Well, there are many cases that ok:

1) Japanese could reasonably have Hiragan, Katakana, and or Kanji and could reasonably mix the first or the second with the third (or with each other in some cases).

2) A site about the talmud with a URL of www.תלמוד-on-the-web.com or Ελλας-fans.org (both examples from a post by Mark Shoulson). Note that the internet requires some things be in latin, and the other Latin additions are not unreasonable.

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 12:34 PM by forgive me

OK, point taken.

But still, what is wrong with a gold bar warning in all such cases, with prompting by default with information (which can be turned off by advanced users)?

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 12:37 PM by forgive me

Sorry, obviously prompting is only necessary at secure sites.

# Looking for feedback

Monday, February 14, 2005 5:35 PM by Gary

A potential approach?

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 5:50 PM by Michael Kaplan

Gary, this is the kind of cool, well thought out, reasonable approaches to the problem which gets buried in with all of the dumbass arguments that people have about the problem on big mailing lists.

Thanks for pointing it out, its a very cool approach!

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 6:30 PM by FIREFOX

Breaking news.

Firefox will break IDN support by default. Those who want it will be able to easily enable it.

see feedhouse.mozillazine.org

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 9:13 PM by Michael Kaplan

Hmmm.... this is in its own way just as bad though, isn't it? Going from one extreme to the other.

Unless this is a temporary thing until they enable functionaliy to do IDN right. Otherwise Firefox is just saying that if you want IDN you will be screwed over by phishing.

So Firefox either gets one thumb up for admitting they were overeager and working to slow down and do it right (to get two thumbs up you have to do all that the ferst time!) or two thumbs down if they are just panicking and turning off the functionality....

# re: Almost no one on the Unicode List seems to "get" phishing

Monday, February 14, 2005 10:58 PM by Minh

> That said, there is next to no reason for
> having different language character sets in
> the same URL.

The Vietnamese alphabet is a mix of latin characters & non-standard characters.

Maybe domain names should carry a "code page". So your browser can display "(English) PayPal.com" and "(Cyrillic) PayPal.com"

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 1:59 AM by Steve Hurcombe

The problem is not going to be solved by technology because the problem is human perception. It's what the encoded words look like that makes this technique useful.

I propose that there's only one way to fix this problem and that's to have some form of verifiability of these domain names. Maybe finally we have to accept that domain names for commercial organisations have to go through a vetting process (digital certificates) while all other domains (for personal use??) remain on the old system.

Your browser would then be able to tell you that www.paypal.com is a genuine commercial domain name, but www.pAypal.com has not been verified. I know that www.netcraft.com have a browser plug in for IE that does something like this.

I've some more ideas on phishing emails on my blog...which follow a similar line.

Best regards
Steve.

# » Phishers Use Unicode To Fool You  InsideMicrosoft - part of the Blog News Channel

Tuesday, February 15, 2005 9:03 AM by TrackBack

» Phishers Use Unicode To Fool You  InsideMicrosoft - part of the Blog News Channel

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 7:22 AM by Jonathan Payne

I was wondering if this could be fixed by simply not allowing similar looking domain names to be registered. That way, if you registered paypal.com, your registration would "lock-out" all similar looking variants. The domain registrar could maintain a list of potentially similar characters which could be updated as problems arise. Combined with some kind of complaints procedure for catching the domains that fall through the net, I would expect this to solve most issues.

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 7:32 AM by FIREFOX

Michkap,

this is a temporary measure to protect interim security while they code out a longer term solution.

See here
http://weblogs.mozillazine.org/gerv/archives/007562.html

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 7:36 AM by Michael Kaplan

Jonathan -- that is a good first line of defense, under the justification of the "squatting" and others rules that exist today. But there will need to be other solutions to, since the phishers will find things faster than the registrations do....

Very cool FIREFOX -- one thumb up. :-)

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 9:14 AM by Centaur

I say — Down with IDN. The standard on DNS, STD0013 (RFC1034), defines domains as dot-separated labels consisting of digits, latin case-insensitive letters, and the hyphen, and that ought to be enough for everybody.

But if they insist on being able to shoot themselves in the foot, then let there be a LooksLike equivalence relation upon the set of Unicode characters, such that '1' LooksLike 'l' LooksLike 'I' and '0' LooksLike 'O' LooksLike CYRILLIC CAPITAL LETTER O LooksLike CYRILLIC SMALL LETTER O, and let domain names be unique with respect to said equivalence.

# re: Almost no one on the Unicode List seems to "get" phishing

Tuesday, February 15, 2005 4:21 PM by Mike Williams

I suspect you could still phish by combining charset substituions with changes in the domain extension - popular browsers are mainly fixated on the .com but if you are something like .ca, .co.uk or .com.au, or hell a typo like www.amazoncom.tv then a huge number of users are just not going to notice.

I would suggest the browser do some fuzzy string matches (in the manner of a spell-check) to compare loaded sites with sites that you have visited before.

# The Difficult Internet, Part 1: In the Clever Evil Phishers Dept...

Friday, February 18, 2005 5:30 PM by Barely Legal Substance

Last weekend, to my mom's horror and indignation, I explained "phishing" and how web users are at risk to it. The example I used was paypal.com versus paypel.com, a small but distinguishable vowel shift that could viably crop up either as a typo or as a phish attempt via email etc. "They can do that?!" she exclaimed, "Wow, I had...

Name (required)
Your URL (optional)
Comments (required)
Remember Me?

Sorting it all Out

Search

Tags

News

Posts on this page

About Me

Terror Alert Level

Disclaimer

Disclaimer Redux

Michael's Brain

Archives

Administrivia

Blogs (i18n)

Blogs (inactive)

Blogs (other)

MSFT Links

Non-MSFT Links

Rebuilding MFC and the CRT with MSLU

Regional Options

Singer/Songwriters

Almost no one on the Unicode List seems to "get" phishing

Comment Notification

Comments

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# Looking for feedback

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# &raquo; Phishers Use Unicode To Fool You&nbsp;&nbsp;InsideMicrosoft - part of the Blog News Channel

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# re: Almost no one on the Unicode List seems to "get" phishing

# The Difficult Internet, Part 1: In the Clever Evil Phishers Dept...

Leave a Comment

# » Phishers Use Unicode To Fool You InsideMicrosoft - part of the Blog News Channel