Greg Cohoon (drmellow) wrote,
Greg Cohoon

Security Alert: Homograph Attacks Compromise Web Browsers

Homograph attacks allow easier domain/URL spoofing:
In December 2001, a paper was released describing Homograph attacks. This new attack allows an attacker/phisher to spoof the domain/URLs of businesses. At the time this paper was written, no browsers had implemented Unicode/UTF8 domain name resolution.

Fast forward to today: Verisign has championed International Domain Names (IDN). RACES has been replaced with PUNYCODE. Every recent gecko/khtml based browser implements IDN (which is just about every browser except for IE; plug-in are available).


Vulnerable browsers include (but are not limited to):

Most mozilla-based browsers (Firefox 1.0, Camino .8.5, Mozilla 1.6, etc)
Safari 1.2.5
Opera 7.54
Omniweb 5
See also an article at Boing Boing describing the issue. The Shmoo Group provides proof-of-concept examples where they have spoofed The irony is that this is the first security alert I've ever seen that effects every browser except Microsoft IE.

If you're using a mozilla-based browser (Firefox, e.g.), there are instructions on how to implement a workaround by setting 'network.enableIDN' to false, but there are also reports that the workaround doesn't fix the issue. Making the change worked for me; your mileage may vary. Read the advisory by the Schmoo Group (including footnotes) and the article at Boing Boing for more information.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded