Bugtraq mailing list archives
Re: thoughts and a possible solution on homograph attacks
From: "Mike Nice" <niceman () att net>
Date: Tue, 8 Mar 2005 07:33:14 -0500
It's rather trivial to determine programatically that www.paypal.com is different from www.paypa1.com, but look similar. One might argue to rest the burden with DNS registries (why would anyone legitimately want paypa1.com?), but that's not likely to fly. Could it rest within the browser? ("Hey buddy, you're going to paypa1.com--did you mean Pay Pal?" or "Enable Unicode in URLs"). Perhaps with an addon ("Hey buddy, you're going to a restricted domain-- are you sure?"). Finally, it could rest with the operating system (via a variety of mechanisms).
While not exactly a solution to homograph attacks, there is an entire class of man-in-the middle attacks (DNS poisoning, wireless Evil twin, etc) that make use of look alike domain names as well as just redirecting the IP data stream to a different server. Paypal - go to URL bar, type in 'www.paypal.com', put in your username and password and log in Bank - go to URL bar, type in 'www.mybank.com', put in your username and password and log in. Bank - go to URL bar, type in 'www.mybank.com', click on the SSL login page, put in your username and password and log in. BZZZT - wrong! You are vulnerable to a man in the middle attack (except if you examined the SSL certificate and/or URL prior to login in the 3rd case). This is particularly important on a laptop if you travel to multiple locations and wireless access points. A simple rule of thumb for less techie computer uses is to teach them how to examine SSL certificates for validity. Then find and bookmark the secure login page. Then if the SSL certificate name doesn't match the browser's bookmark name, they'll get a warning popup that the name doesn't match. The simple rule for everyone: bookmark the secure login page of sites where you enter your username and password. In the real world, we don't examine each SSL certificate at every login. ....How do you get to paypal or your online banking?
Current thread:
- Re: thoughts and a possible solution on homograph attacks, (continued)
- Re: thoughts and a possible solution on homograph attacks Michael Silk (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Kevin Day (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks Valdis . Kletnieks (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks khockenb (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Nick FitzGerald (Mar 22)