1 / 18

IDN Security

IDN Security. Issues and solutions Dr. Ibaa Oueichek Director of Data Communications STE. Visual Security Issues.

benoit
Download Presentation

IDN Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IDN Security Issues and solutions Dr. Ibaa Oueichek Director of Data Communications STE IDN Security

  2. Visual Security Issues • visually confusable strings: two different strings of Unicode characters whose appearance in common fonts in small sizes at screen resolutions is sufficiently close that people easily mistake one for the other. Example : paypal.com and paypa1.com (and this is just pure ASCII). • Homographs: Special kind of visually confusables. Two different strings that can always be represented by the same sequence of glyphs. For example, "AB" in Latin and "AB" in Greek are homographs. IDN Security

  3. IDN • What does IDN have to do with this ? • IDN is such a *GREAT* idea, because it allows users to write the domain name in their native language instead of English. • IDN is also a *GREAT* idea for spoofs and deceptions, it gives them the whole set of Unicode characters to play with. IDN Security

  4. How serious it is ? • Early Alert : In December 2002 RFC 3454 explicitly warns about the problems of "similar-looking characters" and suggests that "user applications can help disambiguate some similar-looking characters by showing the user when a string changes between scripts". • In February 2005 xn--pypal-4ve.com is registered by The Shmoo Group. IDN Security

  5. Example • You get an email about your paypal.com account, click on the link… • You carefully examine your browser's address box to make sure that it is actually going to http://paypal.com/ • But actually it is going to a spoof site: “paypal.com” with the Cyrillic letter “p”. • You think that they are the same • But DNS thinks they are different IDN Security

  6. More examples • Cross-Script • p in Latin vs p in Cyrillic • In-Script • Sequences rn may appear at display sizes like m • Rendering Support • ä with two umlauts may look the same as ä with one • el is actually e + l IDN Security

  7. Definitions • Single script confusable : Spoofing characters are within one script, or using characters common across scripts (such as numbers). • Examples : • a-b and a-b (U+210 hyphen). • dze and dze (U+02A3 digraph). • 101 is NOT one zero one, but binary 5 !! IDN Security

  8. Definitions • Mixed Script confusable : Spoofing characters are within more than one script and not a single script confusable. • Example : • paypal (ASCII) and paypal (U+430 cyrillic) • top (ASCII) and top (U+03BF Greek) IDN Security

  9. Definitions • Whole script confusable: Mixed script confusables where each of the strings in entirely one script, and both look identical. • Example : • caxap in Latin, and caxap in Cyrillic • scope in Latin, and scope in Cyrillic IDN Security

  10. More bad ideas • Syntax Spoofing examples directing us to bad.com • http://example.com⁄x.bad.com (beware of U+2044 Fraction Slash) • http://example.com?x.bad.com (beware of missing fonts as question marks) IDN Security

  11. Quick conclusion • It is a disaster • We opened a can of worms with IDN • Let us drop support of IDN (Mozilla ?) • Or maybe not, maybe we should ask “the bodies” for a solution. • Good question, WHO are the bodies ? IDN Security

  12. Interested parties • ICANN : Update to the IDN guidelines (v2) • ITU-T Study group 17 • IETF, individual drafts. • IAB, a special committee • Unicode consortium : TR #36 : Unicode Security considerations. IDN Security

  13. UTR #36: Security Recommendations • General Security Issues (not just IDN) • V1 approved mid-2005; V2 in progress • http://unicode.org/draft/reports/tr36/tr36.html • Describes the problems, recommends best practices • Users • Programmers • User-Agents (browsers, email, office apps) • Registries • Registrars IDN Security

  14. Restriction Levels as defined in TR36 • L1 : ASCII only • L2 : Highly Restrictive, all chars. From a single script with few DEFINED exceptions • L3 : Moderately restrictive, all Latin and other scripts EXCEPT : Cyrillic, Greek, Cherokee. • L4 : Minimally restrictive, allow free mixing of scripts. IDN Security

  15. ICANN guidelines v2 • Three new guidelines : • Number 3 : registration with a single script, very complex. • Number 4 : Permissible code points (legal characters). • Number 5 : Limitations for hyphens, because they are used as escape characters for Punycode. IDN Security

  16. Comments on ICANN guidelines • Well thought in general, but almost impossible to enforce. • Already several registrars register “broken” IDN names. • Most of the effort should concentrate on enforcement rules and monitoring. • Somehow difficult with about 400 MILLION DNS records in the world. IDN Security

  17. Conclustion • IDN has added a serious threat for Internet users • Several solutions have been suggested, including proposals from ICANN, IETF and Unicode forum. • Our opinion is that this threat should NOT be used as an excuse to hinder IDN development, and ESPECIALLY IDN.IDN. IDN Security

  18. Thank you Questions ? IDN Security

More Related