[nycbug-talk] Homeograph URL spoofing exploit for browsers

Bob Ippolito bob
Mon Feb 7 17:56:42 EST 2005


On Feb 7, 2005, at 13:45, G. Rosamond wrote:

>
> On Feb 7, 2005, at 11:09 AM, Bob Ippolito wrote:
>
>> On Feb 7, 2005, at 11:04, Bob Ippolito wrote:
>>
>>> http://www.shmoo.com/idn/
>>> http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html
>>>
>>> Browsers that support IDN (unicode domain names) are easily  
>>> susceptible to spoofing attacks because there are many code points  
>>> that look the same.  Their specific example uses а (CYRILLIC  
>>> SMALL LETTER A), which looks identical to a (LATIN SMALL LETTER  
>>> A) in most fonts.  ShmooGroup has registered u'p\N{CYRILLIC SMALL  
>>> LETTER A}ypal.com' and have a browser-trusted cert for it.
>>
>> (that title was supposed to be homeograph -- my typing skills have  
>> apparently left me)
>>
>
> This made a security list I found out about this weekend. . . a lot  
> cleaner than Bugtraq.  It's at www.secunia.com.
>
> Highly recommended.
>
> Anyone else have any feedback on the Secunia list?
>
> I find Bugtraq frustrating sometimes for the side comments and banter.

Well, I just heard about it today.. I coded up a Safari defense and did  
a blog entry about it and the development process:

http://bob.pythonmac.org/archives/2005/02/07/idn-spoofing-defense-for- 
safari/

-bob





More information about the talk mailing list