AlphaOne Technology Support Forums
Welcome, Guest. Please login or register.
January 07, 2009, 01:42:38 PM

Login with username, password and session length
Search:     Advanced search
1733 Posts in 827 Topics by 5329 Members
Latest Member: ErereGatNeT
* Home Help Search Login Register
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Security Announcements  |  Topic: Mozilla Browser Phishing Allert 0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: Mozilla Browser Phishing Allert  (Read 456 times)
AlphaWolf
AOT Administrator
Administrator
Hero Member
*****
Offline Offline

Posts: I am a geek!!



View Profile WWW
Mozilla Browser Phishing Allert
« on: February 18, 2005, 03:14:38 PM »
With so much Phishing going on, people have been warned to be SURE the URL in their browser looks right after clicking out of a phishing e-mail.  Well WARNING - even that is not safe any more:

I.   Background

International Domain Name [IDN] support in modern browsers allows attackers to
spoof domain name URLs + SSL certs.

II.   Description

In December 2001, a paper was released describing Homograph attacks [1]. This
new attack allows an attacker/phisher to spoof the domain/URLs of businesses.
At the time this paper was written, no browsers had implemented Unicode/UTF8
domain name resolution.

Fast forward to today:  Verisign has championed International Domain Names
(IDN) [2].  RACES has been replaced with PUNYCODE [3].  Every recent
gecko/khtml based browser implements IDN (which is just about every browser
[4] except for IE; plug-ins are available [5]).

III.   The details

Proof of concept URL:

http://www.shmoo.com/idn/

Clicking on any of the two links in the above webpage using anything but IE
should result in a spoofed paypal.com webpage.

The links are directed at "http://www.pаypal.com/", which the browsers
punycode handlers render as www.xn--pypal-4ve.com.

This is one example URL - - there are now many ways to display any domain name
on a browser, as there are a huge number of codepages/scripts which look very
similar to latin charsets.

Phishing attacks are the largest growing class of attacks on the internet
today.   I find it amusing that one of the large early adopters of IDN offer an
'Anti-Phishing Solution' [6].

Finally, as a business trying to protect their identity, IDN makes their life
very difficult.  It is expected there will be many domain name related
conflicts related to IDN.

All about ssl:   'domain validated' ssl certs do not prove the identity
of the requesting party.  They simply validate who has control of receiving
email at that domain (which includes IDN).  I suspect if I tried to purchase a
higher-end cert for this demo, I would have been stopped right around step 2.
Some folks don't like domain validated certs - - I for one, love them, as they
keep my accountant happy.

Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
Some bazar versions of IE, or any version of IE with the I-nav plugin.

Several RFCs talk about some basic security measures which can be done to
assist with preventing phishing attacks on IDN-supported browsers.  While I
believe these measures are insufficient or impractical in some cases, they got
completely ignored regardless.  Go read them.

http://www.faqs.org/rfcs/rfc3490.html
http://www.faqs.org/rfcs/rfc3491.html
http://www.faqs.org/rfcs/rfc3492.html
Logged
AlphaOne Tech Webmaster Resources
http://www.alphaone-tech.com/resources/
Pages: [1] Go Up Print 
AlphaOne Technology Support Forums  |  IMPORTANT ANNOUNCEMENTS  |  Security Announcements  |  Topic: Mozilla Browser Phishing Allert « previous next »
Jump to:  

Powered by MySQL Powered by PHP AlphaOne Technology Support Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved. 		Valid XHTML 1.0! Valid CSS!