[nycbug-talk] Homeograph URL spoofing exploit for browsers
Bob Ippolito
bob
Mon Feb 7 17:56:42 EST 2005
On Feb 7, 2005, at 13:45, G. Rosamond wrote:
>
> On Feb 7, 2005, at 11:09 AM, Bob Ippolito wrote:
>
>> On Feb 7, 2005, at 11:04, Bob Ippolito wrote:
>>
>>> http://www.shmoo.com/idn/
>>> http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html
>>>
>>> Browsers that support IDN (unicode domain names) are easily
>>> susceptible to spoofing attacks because there are many code points
>>> that look the same. Their specific example uses а (CYRILLIC
>>> SMALL LETTER A), which looks identical to a (LATIN SMALL LETTER
>>> A) in most fonts. ShmooGroup has registered u'p\N{CYRILLIC SMALL
>>> LETTER A}ypal.com' and have a browser-trusted cert for it.
>>
>> (that title was supposed to be homeograph -- my typing skills have
>> apparently left me)
>>
>
> This made a security list I found out about this weekend. . . a lot
> cleaner than Bugtraq. It's at www.secunia.com.
>
> Highly recommended.
>
> Anyone else have any feedback on the Secunia list?
>
> I find Bugtraq frustrating sometimes for the side comments and banter.
Well, I just heard about it today.. I coded up a Safari defense and did
a blog entry about it and the development process:
http://bob.pythonmac.org/archives/2005/02/07/idn-spoofing-defense-for-
safari/
-bob
More information about the talk
mailing list