The Null Device

Homograph attacks

A h4x0r group named Shmoo has revealed a new web-spoofing attack which takes advantage of Unicode characters which look like ASCII characters but aren't, allowing spoofers to register sites like http://www.pаypal.com/ (note that the first 'a' isn't an 'a', but rather Unicode character #1072, the Cyrillic small 'a'). A demo page with two dodgy links is here.

Such attacks, of course, only work if Unicode domain names are allowed. This is one of the few times that Internet Explorer users are safer than Mozilla/Firefox users, as IE doesn't support international domain names out of the box. If you're using Firefox, you may be able to fix it by following the following procedure (via bOING bOING):

1) Goto your Firefox address bar. Enter about:config and press enter. Firefox will load the (large!) config page.
2) Scroll down to the line beginning network.enableIDN -- this is International Domain Name support, and it is causing the problem here. We want to turn this off -- for now. Ideally we want to support international domain names, but not with this problem.
3) Double-click the network.enableIDN label, and Firefox will show a dialog set to 'true'. Change it to 'false' (no quotes!), click Ok. You are done.
4) Go check out the shmoo demo again and notice it no longer works.

Of course, if you practice safe web access, you won't be entering your bank details or whatever after following a link (however kosher-looking) from an untrusted source in the first place, but only after having typed it in with your own hands or selected it from your local bookmarks.

There are 1 comments on "Homograph attacks":

Posted by: Michael S. http://beebo.org Thu Feb 10 09:49:31 2005

That's quite ... nasty.

Though I think the SSL certificate issuer has a lot to answer for here--they shouldn't be issuing certificates with a similar name, let alone similar domain name, to anything that already exists. Or do they not actually do this check?

I'd assumed you wouldn't be able to get a certificate claiming to be from "Microsoft Corporation" or "MicroSoft Corp.", "Microsoft Inc.", etc. for *any* domain--is this not the case?

Want to say something? Do so here.

Post pseudonymously

Display name:
URL:(optional)
To prove that you are not a bot, please enter the text in the image into the field below it.

Your Comment:

Please keep comments on topic and to the point. Inappropriate comments may be deleted.

Note that markup is stripped from comments; URLs will be automatically converted into links.