Presenting IDN spoofing threats to ICANN’s security committee
05 Mar 2009
I had the chance to present to the ICANN Security and Stability Advisory Committee during their ICANN Mexico conference. It was an opportunity to give a portion of my upcoming presentation on Exploiting Unicode-enabled Software, focusing just on IDN visual spoofing attacks. These issues have been discussed for years, going back to before 2000 when IDN was being first discussed, to Eric Johanson’s Paypal spoof in 2005, up to Moxie Marlinspike’s recent Black Hat demo. Mark Davis has discussed the homograph and syntax spoofing issues in the past, as have Andy Heninger.
So where does my presentation add more to the discussion? I’ve demonstrated a few things that are shocking still today - more IDN attacks for which no defenses exist:
The net result is something a bit unnerving:
I plan to go into this more at SOURCE Boston and CanSecWest.
Where do we go from here? I believe we’ve got to keep IDN alive, don’t stifle such a phenomenon because of fear and doubt. So who should start fixing it - the registrars, the user-agents? I’ve got my own answers for that, and also some upcoming corss-platform API components that will fix the issue for any user-agent who wants it. For now, let’s just say that IDNA2008 is in draft and does take the defenses to a new level.
So where does my presentation add more to the discussion? I’ve demonstrated a few things that are shocking still today - more IDN attacks for which no defenses exist:
- In both Opera and Safari, I can still spoof http://www.google.com today just as the old Paypal spoof worked.
- In Opera, Safari, and Firefox I can spoof http://www.mozilla.org
- Syntax spoofing crosses more boundaries than many might think - punctuation and symbols aren’t all you need.
The net result is something a bit unnerving:
- The divergence in IDN implementations could be creating a mess of confusion for end users.
- Phishing attacks with IDN domains can be visually unrecognizable and deadly.
- Those screaming ‘Down with IDN’ are finding more torches and rocks to pick up.
I plan to go into this more at SOURCE Boston and CanSecWest.
Where do we go from here? I believe we’ve got to keep IDN alive, don’t stifle such a phenomenon because of fear and doubt. So who should start fixing it - the registrars, the user-agents? I’ve got my own answers for that, and also some upcoming corss-platform API components that will fix the issue for any user-agent who wants it. For now, let’s just say that IDNA2008 is in draft and does take the defenses to a new level.