Re: SSL MITM fun.

[Alexander Sotirov <alex () sotirov net>]

On Fri, Feb 20, 2009 at 07:41:25AM +0100, Michal Zalewski wrote:
> > The new idea in this presentation is to use a .cn domain, but use UNICODE
> > characters that look like '/'.
>
> The idea is certainly not new; it's covered, amongst other places, in
> our Browser Security Handbook for a longer while (gives specifically
> the '/' example, and discusses mitigations):
>
> http://code.google.com/p/browsersec/wiki/Part2#International_Domain_Name_checks

I assumed it was new because I hadn't been following the IDN security
closely, but you're right, this attack has been known for a while.

However, the countermeasures browsers have implemented are trivial to bypass.
It only took me an hour to find a number of variations of the homograph attack
that still work. Here's a spoofed google.com page (over SSL for bonus points)
that works on the latest version of Firefox 3 on Mac OS X:

https://www.google.xn--com-edoaaaaaaaaaaaaaaaaaaaaaaaaaaaa.phreedom.org/

It's been years since browser vendors were first made aware of the homograph
attacks and there is still no good solution. Perhaps it's time to scrap IDN
and try a different approach?

Take care,
Alex

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave