Greg Cohoon (drmellow) wrote,
Greg Cohoon

Security Alert: Homograph Attacks Compromise Web Browsers

Homograph attacks allow easier domain/URL spoofing:
In December 2001, a paper was released describing Homograph attacks. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. At the time this paper was written, no browsers had implemented Unicode/UTF8 domain name resolution.

Fast forward to today: Verisign has championed International Domain Names (IDN). RACES has been replaced with PUNYCODE. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for IE; plug-in are available).


Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
See also an article at Boing Boing describing the issue. The Shmoo Group provides proof-of-concept examples where they have spoofed The irony is that this is the first security alert I've ever seen that effects every browser except Microsoft IE.

If you're using a mozilla-based browser (Firefox, e.g.), there are instructions on how to implement a workaround by setting 'network.enableIDN' to false, but there are also reports that the workaround doesn't fix the issue. Making the change worked for me; your mileage may vary. Read the advisory by the Schmoo Group (including footnotes) and the article at Boing Boing for more information.

  • Congratulations To The Next US President!

    At this point, I would like to extend my heartfelt congratulations to the next US President. Unfortunately, I don't know who that is. What is…

  • Dr. Mellow's Guide To Voting

    Every year since 2006, when I posted my first election guide, I try to do my best to inform the readers of my blog on the very important things to…

  • The Glorious Return Of Standard Time

    This is a (slightly edited) repost of a post that I made two years ago. Thank the heavens we are finally back on Standard Time! The horror that it…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded