|
|
 | | From: | Evan Platt | | Subject: | New vulnerability? | | Date: | Mon, 17 Jan 2005 15:02:34 -0800 |
|
|
 | http://www.retrosynth.com/misc/phishing.html
Took me a while to figure out what I was missing:
The link is http://www.amazоn.com - the site 'says' amazon.com,
i.e.
fake site: www.amazon.com
Opera 7.6 7364b 'fails' - it takes me to the site and even in the
window shows the site as Amazon.com
i.e. doesn't - gives a DNS error. Firefox also 'fails' the test and
takes me to what appears to be the real site.
Should Opera fail this test and give me a DNS error like IE?
Evan
|
|
| | From: | Mezev | | Subject: | Re: New vulnerability? | | Date: | Mon, 17 Jan 2005 20:16:09 -0500 |
|
|
| IE gave an DNS Error, but Opera did nothing. It didn't even try to open
the link. So, I was safe, right?
On Mon, 17 Jan 2005 15:02:34 -0800, Evan Platt
wrote:
> http://www.retrosynth.com/misc/phishing.html
>
> Took me a while to figure out what I was missing:
>
> The link is http://www.amazоn.com - the site 'says' amazon.com,
> i.e.
>
> fake site: www.amazon.com
>
> Opera 7.6 7364b 'fails' - it takes me to the site and even in the
> window shows the site as Amazon.com
>
> i.e. doesn't - gives a DNS error. Firefox also 'fails' the test and
> takes me to what appears to be the real site.
>
> Should Opera fail this test and give me a DNS error like IE?
>
> Evan
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
|
|
| | From: | Evan Platt | | Subject: | Re: New vulnerability? | | Date: | Mon, 17 Jan 2005 17:18:38 -0800 |
|
|
| On Mon, 17 Jan 2005 20:16:09 -0500, Mezev
wrote:
>IE gave an DNS Error, but Opera did nothing. It didn't even try to open
>the link. So, I was safe, right?
What version of Opera? It opened for me...
Evan
|
|
| | From: | Mezev | | Subject: | Re: New vulnerability? | | Date: | Mon, 17 Jan 2005 20:29:50 -0500 |
|
|
| 8.00 build 7401.
On Mon, 17 Jan 2005 17:18:38 -0800, Evan Platt
wrote:
> On Mon, 17 Jan 2005 20:16:09 -0500, Mezev
> wrote:
>
>> IE gave an DNS Error, but Opera did nothing. It didn't even try to open
>> the link. So, I was safe, right?
>
> What version of Opera? It opened for me...
>
> Evan
--
Using Opera's revolutionary e-mail client: http://www.opera.com/mail/
|
|
| | From: | Steven V. Gunhouse | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 12:10:49 GMT |
|
|
| On Mon, 17 Jan 2005 20:29:50 -0500, Mezev wrote:
> 8.00 build 7401.
>
> On Mon, 17 Jan 2005 17:18:38 -0800, Evan Platt
> wrote:
>
>> On Mon, 17 Jan 2005 20:16:09 -0500, Mezev
>> wrote:
>>
>>> IE gave an DNS Error, but Opera did nothing. It didn't even try to open
>>> the link. So, I was safe, right?
>>
>> What version of Opera? It opened for me...
>>
>> Evan
>
Opera 8 won't even try to open a link with an invalid character or format.
Select text with a space in it and choose Go to URL, nothing will happen.
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Peter Karlsson | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 14:53:44 +0100 |
|
|
| Steven V. Gunhouse:
> Opera 8 won't even try to open a link with an invalid character or
> format.
You can't copy-paste the URL as posted in the original post in this
thread, since it used the HTML escaping. The links on the web page work,
though.
The first version with partial support for international domains according
to IDNA was 7.20, IIRC.
--
\\// Peter Karlsson, software engineer, Opera Software
The opinions expressed are my own, and not those of my employer.
Please reply only by follow-ups in the newsgroup.
|
|
| | From: | Steven V. Gunhouse | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 18:58:51 GMT |
|
|
| On Tue, 18 Jan 2005 14:53:44 +0100, Peter Karlsson wrote:
> Steven V. Gunhouse:
>
>> Opera 8 won't even try to open a link with an invalid character or
>> format.
>
> You can't copy-paste the URL as posted in the original post in this
> thread, since it used the HTML escaping. The links on the web page work,
> though.
>
> The first version with partial support for international domains
> according to IDNA was 7.20, IIRC.
>
I didn't copy-paste, I just tried clicking it in the email. It was
highlighted like a URL, but didn't go anywhere. Should Opera handle that
differently?
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Peter Karlsson | | Subject: | Re: New vulnerability? | | Date: | Wed, 19 Jan 2005 09:12:16 +0100 |
|
|
| Steven V. Gunhouse:
> I didn't copy-paste, I just tried clicking it in the email.
The link in the e-mail contained the raw HTML code. &, # and ; are not
allowed in links, so the link isn't clickable. In the linked page, the
HTML is interpreted by a HTML parser before being shown, so there the link
*is* clickable.
> It was highlighted like a URL, but didn't go anywhere.
Yeah, the URL highlighting doesn't validate the link. Perhaps it should.
--
\\// Peter Karlsson, software engineer, Opera Software
The opinions expressed are my own, and not those of my employer.
Please reply only by follow-ups in the newsgroup.
|
|
| | From: | Brian L Johnson | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 22:37:08 -0000 |
|
|
| Steven & Evan,
To clarify:
What the OP intended was for people to go to the webpage:
http://www.retrosynth.com/misc/phishing.html
and then try clicking on the various links on that page.
--
blj
|
|
| | From: | Steven V. Gunhouse | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 23:49:20 GMT |
|
|
| On Tue, 18 Jan 2005 22:37:08 -0000, Brian L Johnson
wrote:
> Steven & Evan,
>
> To clarify:
>
> What the OP intended was for people to go to the webpage:
>
> http://www.retrosynth.com/misc/phishing.html
>
> and then try clicking on the various links on that page.
>
Strangely enough, there is a minor difference in the fonts. When I
actually hover back and forth between the links, I can see a small
difference in the letter o's (or the y in paypal). But that's here in the
Linux version, with my font settings.
Still a question of what should have happened with the link in the
message. But maybe he didn't copy it properly - if I actually paste it
here http://www.amazоn.com/ (now that looks really ugly in Linux, the "o"
is the wrong size) ... anyway, if I actually paste it here I don't get
that HTML entity code and hence it might actually work.
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Peter Karlsson | | Subject: | Re: New vulnerability? | | Date: | Wed, 19 Jan 2005 09:15:30 +0100 |
|
|
| Steven V. Gunhouse:
> Strangely enough, there is a minor difference in the fonts.
Yes, here too. My default font (Bitstream Vera Sans) has slightly
different glyphs for o (latin letter O) and о (Cyrillic letter О). I
didn't compare the y (lattin letter Y) and the у (Cyrillic letter У) very
closely, but if there is any difference in the fonts, it is quite small.
> anyway, if I actually paste it here I don't get that HTML entity code
> and hence it might actually work.
It does indeed.
--
\\// Peter Karlsson, software engineer, Opera Software
The opinions expressed are my own, and not those of my employer.
Please reply only by follow-ups in the newsgroup.
|
|
| | From: | Brian L Johnson | | Subject: | Re: New vulnerability? | | Date: | Wed, 19 Jan 2005 12:18:27 -0000 |
|
|
| Steven V. Gunhouse wrote:
>> http://www.retrosynth.com/misc/phishing.html
>>
>> and then try clicking on the various links on that page.
>>
>
> Strangely enough, there is a minor difference in the fonts. When I
> actually hover back and forth between the links, I can see a small
> difference in the letter o's (or the y in paypal). But that's here in
> the Linux version, with my font settings.
Might be a Linux thang. Here on XP-H+SP2 with clean install of Opera8
with no font mods, I see no difference at all between the fake and real
links -- either hovered or not, Author mode or User mode.
> Still a question of what should have happened with the link in the
> message. But maybe he didn't copy it properly - if I actually paste it
> here http://www.amazоn.com/ (now that looks really ugly in Linux, the
> "o" is the wrong size) ... anyway, if I actually paste it here I don't
> get that HTML entity code and hence it might actually work.
>
Selecting the entire page, rt-clicking and Copy Text, I get this on the
clipboard:
*----cut here----*
fake site: www.amazon.com
real site: www.amazon.com
fake site: www.microsoft.com
real site: www.microsoft.com
fake site: www.paypal.com
real site: www.paypal.com
a = а
e = е
o = о
y = у
*----cut here----*
Just to rule out anything else, if I rt-click one of the links and choose
'Copy Link Address', I get this:
http://www.amazоn.com/
If I paste any of the copys into a hex editor, (instead of this M2 compose
page) I still get exactly the same.
http://www.amazоn.com/
So, for me, the 'deception' is pretty much foolproof: without examining
the source code, I couldn't tell the difference between real and fake
links until I land on the appropriate page.
--
blj
|
|
| | From: | Steven V. Gunhouse | | Subject: | Re: New vulnerability? | | Date: | Wed, 19 Jan 2005 18:30:00 GMT |
|
|
| On Wed, 19 Jan 2005 12:18:27 -0000, Brian L Johnson
wrote:
> Steven V. Gunhouse wrote:
>
>>> http://www.retrosynth.com/misc/phishing.html
>>>
>>> and then try clicking on the various links on that page.
>>>
>>
>> Strangely enough, there is a minor difference in the fonts. When I
>> actually hover back and forth between the links, I can see a small
>> difference in the letter o's (or the y in paypal). But that's here in
>> the Linux version, with my font settings.
>
> Might be a Linux thang. Here on XP-H+SP2 with clean install of Opera8
> with no font mods, I see no difference at all between the fake and real
> links -- either hovered or not, Author mode or User mode.
>
>> Still a question of what should have happened with the link in the
>> message. But maybe he didn't copy it properly - if I actually paste it
>> here http://www.amazоn.com/ (now that looks really ugly in Linux, the
>> "o" is the wrong size) ... anyway, if I actually paste it here I don't
>> get that HTML entity code and hence it might actually work.
>>
>
> Selecting the entire page, rt-clicking and Copy Text, I get this on the
> clipboard:
>
> *----cut here----*
> fake site: www.amazon.com
> real site: www.amazon.com
>
>
> fake site: www.microsoft.com
> real site: www.microsoft.com
>
>
> fake site: www.paypal.com
> real site: www.paypal.com
>
>
>
> a = а
> e = е
> o = о
> y = у
> *----cut here----*
>
> Just to rule out anything else, if I rt-click one of the links and
> choose 'Copy Link Address', I get this:
>
> http://www.amazоn.com/
>
> If I paste any of the copys into a hex editor, (instead of this M2
> compose page) I still get exactly the same.
>
> http://www.amazоn.com/
>
> So, for me, the 'deception' is pretty much foolproof: without examining
> the source code, I couldn't tell the difference between real and fake
> links until I land on the appropriate page.
>
In my status bar in Windows, the Cyrillic "o" is offset lower than the
surrounding Latin text. Ah ... the version of Times New Roman (my toolbar
font) on this system doesn't include Cyrillic, so I'm getting the "o" from
Verdana. (This is a 98 SE system. Presumably a more recent version of
Times New Roman would include Cyrillic ...)
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Nisse_Engström | | Subject: | Re: New vulnerability? | | Date: | Sun, 23 Jan 2005 08:23:49 +0100 |
|
|
| Steven V. Gunhouse wrote:
> In my status bar in Windows, the Cyrillic "o" is offset lower than the
> surrounding Latin text. Ah ... the version of Times New Roman (my toolbar
> font) on this system doesn't include Cyrillic, so I'm getting the "o" from
> Verdana. (This is a 98 SE system. Presumably a more recent version of
> Times New Roman would include Cyrillic ...)
I too use Times New Roman on my 98SE box. In my
case, the two links are identical in the status bar
and the links panel. A magnification of the links
panel shows that the spoof is pixel perfect.
I'd *really* like to see a clear indication when
a URL is obfu^Winternationalized, and an option to
see the sens^WASCII version of it.
--n
|
|
| | From: | rja.carnegie at excite.com | | Subject: | Re: New vulnerability? | | Date: | 20 Jan 2005 18:30:37 -0800 |
|
|
|
Paul McGarry wrote:
> On Tue, 18 Jan 2005 02:28:48 +0100, Yngve Nysaeter Pettersen
(Developer,
> Opera Software A/S) wrote:
>
> > This is **NOT** a vulnerability, although one might make the case
that
>
> Presumably a "vulnerability" is anything that leads an unsuspecting
user
> to be vulnerable.
Never mind Unicode URLs. What about www.amaz0n.com ?
WWW.AMA20N.COM ?
(Okay, it displays as www.ama20n.com, which is going to stand out.)
I think the real message may be... never trust URLs even if they look
good. Don't trust your own ability to detect when you're being
suckered. If people could do that reliably, there would be no such
word as "sucker". So if you get an e-mail (or a Web page) of uncertain
provenance that says "Go to Amazon here", either skip the link and type
Amazon's address yourself, or take the link but don't take out your
wallet.
That isn't to say that there's nothing for Opera to do here. For
instance, an additional level of trust-of-URL indicator could be
provided - say, your bookmarks carry a trust level setting, and when
you visit a site that you bookmarked (even if not through the
bookmark), the trust rating is displayed. Maybe, date of your last
visit. When you visit a phisher, no familiar-site icon. Of course
this involves defining and then detecting other pages that match the
URL, so it isn't simple... Just a suggestion. I'm sure there are
other ways to achieve similar good results.
The other part of the message is - try not to use a Web browser where
your PC can get hacked just because you went to a bad Web site. Opera
scores fairly well there...
|
|
| | From: | Paul McGarry | | Subject: | Re: New vulnerability? | | Date: | Fri, 21 Jan 2005 15:28:51 +1100 |
|
|
| On 20 Jan 2005 18:30:37 -0800, rja.carnegie@excite.com
wrote:
>> Presumably a "vulnerability" is anything that leads an unsuspecting
> user
>> to be vulnerable.
>
> Never mind Unicode URLs. What about www.amaz0n.com ?
>
> WWW.AMA20N.COM ?
There's an interesting suggestion here:
http://weblogs.mozillazine.org/gerv/archives/007359.html
I'm not sure it's exactly feasible. I can imagine most users being
confused by all the different colours rather than understanding them but a
bit of "out of the square" thinking about the issue isn't a bad thing.
--
Paul McGarry
http://paulmcgarry.com/
|
|
| | From: | Matthew Winn | | Subject: | Re: New vulnerability? | | Date: | Fri, 21 Jan 2005 08:40:30 +0000 (UTC) |
|
|
| On Fri, 21 Jan 2005 15:28:51 +1100, Paul McGarry wrote:
> There's an interesting suggestion here:
> http://weblogs.mozillazine.org/gerv/archives/007359.html
>
> I'm not sure it's exactly feasible. I can imagine most users being
> confused by all the different colours rather than understanding them but a
> bit of "out of the square" thinking about the issue isn't a bad thing.
It's an interesting idea, but it won't work.
To start with, there aren't that many colours to choose from. To be
effective such a scheme would have to use colours that are easily
distinguishable from memory, and that reduces the total set of useful
colours to around half a dozen. That makes it a trivial matter for a
phisher to try variations on a domain name until one with the correct
colour appears. If www.amaz0n.com doesn't match try www1.amaz0n.com,
www2.amaz0n.com, and so on.
The other problem is for the user to learn the colours. Anyone who
uses the web extensively may well visit dozens of sites on a regular
basis and remembering the colours for each one would be difficult.
And the sites where it most matters are the ones that people visit
least often. What percentage of pages that you visit are ones where
you're paying for something? For me it's somewhere down below 0.01%.
That's not enough that I'd notice if a site had the wrong colour.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
|
|
| | From: | Richard Grevers | | Subject: | Re: New vulnerability? | | Date: | Fri, 21 Jan 2005 22:15:47 +1300 |
|
|
| On Fri, 21 Jan 2005 08:40:30 +0000 (UTC), Matthew Winn
wrote:
>
> The other problem is for the user to learn the colours. Anyone who
> uses the web extensively may well visit dozens of sites on a regular
> basis and remembering the colours for each one would be difficult.
> And the sites where it most matters are the ones that people visit
> least often. What percentage of pages that you visit are ones where
> you're paying for something? For me it's somewhere down below 0.01%.
> That's not enough that I'd notice if a site had the wrong colour.
>
However, colouring the address field background (maybe with a ? link at
the right-hand end of it) would be an obvious but non-intrusive way of
indicating when an URL is using a mix of ascii and internationalized
characters. It has similarly been suggested that the address field
background could be tinted for secure pages.
(maybe green for security, pink if there's a problem with security, orange
for phishing alert).
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | rja.carnegie at excite.com | | Subject: | Re: New vulnerability? | | Date: | 21 Jan 2005 05:38:25 -0800 |
|
|
|
Paul McGarry wrote:
> On 20 Jan 2005 18:30:37 -0800, rja.carnegie@excite.com
> wrote:
>
> >> Presumably a "vulnerability" is anything that leads an
unsuspecting
> > user
> >> to be vulnerable.
> >
> > Never mind Unicode URLs. What about www.amaz0n.com ?
> >
> > WWW.AMA20N.COM ?
>
> There's an interesting suggestion here:
> http://weblogs.mozillazine.org/gerv/archives/007359.html
>
> I'm not sure it's exactly feasible. I can imagine most users being
> confused by all the different colours rather than understanding them
but a
> bit of "out of the square" thinking about the issue isn't a bad
thing.
Thanks! I dived in there and refined my bookmarks idea. Optionally
colour code by bookmark folder, so your bank and your sites don't
look the same.
It's kind of like the well-known, much-copied Evil Overlord to-do list,
with tips like "don't tell the Hero your master-plan right before you
kill him". What I mean is, there are lieutenants and there are trusted
lieutenants. Even though they all should be on your side, it's
important to keep straight which is which, for instance planning the
guard rota for the Hero's True Love's cell in the dungeon. Actually,
maybe the heaviest guard should be around the cell I asked the trusted
lieutenant to use while we redecorate his quarters... I'm not thinking
about the browser any more, am I? Sorry. ;-)
|
|
| | From: | rja.carnegie at excite.com | | Subject: | Re: New vulnerability? | | Date: | 23 Jan 2005 10:58:36 -0800 |
|
|
|
Nisse Engstr=F6m wrote:
> Steven V. Gunhouse wrote:
> > In my status bar in Windows, the Cyrillic "o" is offset lower than
the
> > surrounding Latin text. Ah ... the version of Times New Roman (my
toolbar
> > font) on this system doesn't include Cyrillic, so I'm getting the
"o" from
> > Verdana. (This is a 98 SE system. Presumably a more recent version
of
> > Times New Roman would include Cyrillic ...)
>
> I too use Times New Roman on my 98SE box. In my
> case, the two links are identical in the status bar
> and the links panel. A magnification of the links
> panel shows that the spoof is pixel perfect.
>
> I'd *really* like to see a clear indication when
> a URL is obfu^Winternationalized, and an option to
> see the sens^WASCII version of it.
ASCII is a step backwards in this context, though. It's fine for the
American-speaking user, but the rest of the world needs Unicode - or
better. At least if we're going to include the whole planet... And
Opera comes from... dang... Norway, wasn't it?
We're talking about identity theft: theft of the identity of a bank, or
an online trading site of some other kind, usually. Your URL is your
identity. Well, we need to have something done about that. A lot of
things, probably. Better laws. A culture where identity theft in
either direction is just severely uncool. And, yes, a technological
solution would be good.
Perhaps instead of the browser, we could build a screening technology
into a proxy server. At work we have a proxy server that blocks Web
sites that the company doesn't want us to use. For a while they ran
amuck and systematically blocked search engines, until I guess someone
high up pointed out they couldn't DO THEIR JOB without access to Web
sites. So... how about, on the PC, ... wait, maybe this has been done
anyway. What I have in mind is this - let's see if I get how it works:
a URL is submitted to the proxy server from the browser. (Opera knows
how to do that.) The proxy server fetches the address for the URL,
then fetches the data and passes it on to Opera. So I propose a
behaviour where if the URL doesn't really amtch a site that you visited
before - maybe also if the IP address changes (that will catch DNS
interference, but will also hit when someone really changes your
address) - then the proxy server pauses and sends a popup to say "This
is a new Web site. Do you want to go ahead and visit it?" This can be
done outside the browser, which doesn't need to know that it's
happening.
A basic set of useful functions could include:
- Permit this URL for the duration of this session
- Permit all unfamiliar URLs for the duration of this session
- Permit all unfamiliar URLS except known bad places
- Permit this URL at any time in the future
And what gets permitted can be either the domain name, or the identical
URL as far down as the latest slash in the file name... or can be
presented to the user for editing.
Of course it also means one more place which logs every URL that you
visit, and where you have to erase your history of sites - and of
course people will suspect that it's spyware just like Opera itself,
and will refuse to use it. But you know what? We can steal their bank
account details and buy ice cream. So that's okay.
|
|
| | From: | Yngve Nysaeter Pettersen (Developer, Opera Software A/S) | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 02:28:48 +0100 |
|
|
| On Mon, 17 Jan 2005 15:02:34 -0800, Evan Platt
wrote:
>http://www.retrosynth.com/misc/phishing.html
>
>Took me a while to figure out what I was missing:
>
>The link is http://www.amazоn.com - the site 'says' amazon.com,
>i.e.
>
>fake site: www.amazon.com
What Opera connects to is the server www.xn--amazn-mye.com, the IDNA (RFC 3490)
encoding of the above servername.
>Opera 7.6 7364b 'fails' - it takes me to the site and even in the
>window shows the site as Amazon.com
>
>i.e. doesn't - gives a DNS error. Firefox also 'fails' the test and
>takes me to what appears to be the real site.
>
>Should Opera fail this test and give me a DNS error like IE?
Tried IE with this utility installed? http://www.idnnow.com/index.jsp
IE does not have support for IDNA. Something which is irritating a number of
people (Asians and Europeans to mention some) no end.
Opera and Mozilla does not fail, it is working precisely as it should according
to an established Internet Standard.
That some Unicode characters look visually similar to US-ASCII characters is a
known problem but one that cannot be solved by the clients but must be solved by
the IDNA standard itself or the standards the it is based on (such as Unicode or
the nameprep standard), and AFAICT there is currently no limits on the use of
the characters your testcase uses.
This is **NOT** a vulnerability, although one might make the case that the
registrars should put some characters out-of-bounds (which the security
considerations of RFC 3490 says they should). A case may, however, (I am not a
lawyer) possibly be made about Trademark infringement against whoever registered
those domains.
|
|
| | From: | Paul McGarry | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 16:11:59 +1100 |
|
|
| On Tue, 18 Jan 2005 02:28:48 +0100, Yngve Nysaeter Pettersen (Developer,
Opera Software A/S) wrote:
> This is **NOT** a vulnerability, although one might make the case that
Presumably a "vulnerability" is anything that leads an unsuspecting user
to be vulnerable.
While it may be per spec ultimatly Opera is the user agent and is first in
line for looking after the users interests.
Surely there are some options here:
-Showing the expanded name (optionally).
-Alerting the user the first time they encounter such a URL and ask them
if they are likely to visit pages with non-ascii domain names.
-Something else
Someone has to be looking after "us".
> considerations of RFC 3490 says they should). A case may, however, (I am
> not a
> lawyer) possibly be made about Trademark infringement against whoever
> registered
> those domains.
I doubt most phishers are worried too much about that.
--
Paul McGarry
http://paulmcgarry.com/
|
|
| | From: | Matthew Winn | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 08:57:06 +0000 (UTC) |
|
|
| On Tue, 18 Jan 2005 16:11:59 +1100, Paul McGarry wrote:
> Presumably a "vulnerability" is anything that leads an unsuspecting user
> to be vulnerable.
>
> While it may be per spec ultimatly Opera is the user agent and is first in
> line for looking after the users interests.
>
> Surely there are some options here:
> -Showing the expanded name (optionally).
> -Alerting the user the first time they encounter such a URL and ask them
> if they are likely to visit pages with non-ascii domain names.
What about the second time? You can't interrupt the user every time.
> -Something else
Perhaps some sort of heuristic. It's not the use of Cyrillic or Greek
letters that's the problem, but the use of those letters in the middle
of a different part of the Unicode range. (The same problem occurs in
the other direction, of course.) Perhaps there could be some sort of
warning if and only if adjacent letters are from different character
blocks. An exclamation mark appearing at the start of the address:
click it for more information?
How about punctuation? Are characters like the one-dot leader (U+2024)
and the division slash (U+2215) valid in domain names?
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
|
|
| | From: | Brian L Johnson | | Subject: | Re: New vulnerability? | | Date: | Sun, 23 Jan 2005 21:17:51 -0000 |
|
|
| Matthew Winn wrote:
>> Surely there are some options here:
>> -Showing the expanded name (optionally).
>> -Alerting the user the first time they encounter such a URL and ask
>> them if they are likely to visit pages with non-ascii domain names.
>
> What about the second time? You can't interrupt the user every time.
Yes, you can.
I'd like to be asked every time I visit a new site. I'd like the d/log to
be pretty much the same as the Wand one. I'd like to be able to (a)
accept this time only, (b) always accept, (c) reject this time only, (d)
always reject.
--
blj
|
|
| | From: | Matthew Winn | | Subject: | Re: New vulnerability? | | Date: | Mon, 24 Jan 2005 08:56:57 +0000 (UTC) |
|
|
| On Sun, 23 Jan 2005 21:17:51 -0000, Brian L Johnson wrote:
> Matthew Winn wrote:
>
> >> Surely there are some options here:
> >> -Showing the expanded name (optionally).
> >> -Alerting the user the first time they encounter such a URL and ask
> >> them if they are likely to visit pages with non-ascii domain names.
> >
> > What about the second time? You can't interrupt the user every time.
>
> Yes, you can.
>
> I'd like to be asked every time I visit a new site. I'd like the d/log to
> be pretty much the same as the Wand one. I'd like to be able to (a)
> accept this time only, (b) always accept, (c) reject this time only, (d)
> always reject.
That's great if you live in the US but in many parts of the world
nearly every URL will (eventually) contain non-ASCII characters.
Users would soon get fed up with having to say "Yes, I really want
to access this non-ASCII domain" every single time they go to a new
site.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
|
|
| | From: | Brian L Johnson | | Subject: | Re: New vulnerability? | | Date: | Mon, 24 Jan 2005 09:14:49 -0000 |
|
|
| Matthew Winn wrote:
> On Sun, 23 Jan 2005 21:17:51 -0000, Brian L Johnson
> wrote:
>> Matthew Winn wrote:
>>
>> >> Surely there are some options here:
>> >> -Showing the expanded name (optionally).
>> >> -Alerting the user the first time they encounter such a URL and ask
>> >> them if they are likely to visit pages with non-ascii domain names.
>> >
>> > What about the second time? You can't interrupt the user every time.
>>
>> Yes, you can.
>>
>> I'd like to be asked every time I visit a new site. I'd like the
>> d/log to be pretty much the same as the Wand one. I'd like to be able
>> to(a) accept this time only, (b) always accept, (c) reject this time
>> only, (d) always reject.
>
> That's great if you live in the US but in many parts of the world
> nearly every URL will (eventually) contain non-ASCII characters.
IWC, a separate checkbox saying something like '[_]Never Ask Me Again
About ANY Sites Like This' would seem to be in order.
> Users would soon get fed up with having to say "Yes, I really want
> to access this non-ASCII domain" every single time they go to a new
> site.
Once they've had their bank accounts emptied a couple of times, they'll
either (a) put up with the annoyance of answering a yes/no question or (b)
choose not to visit such sites.
--
blj
|
|
| | From: | Paul McGarry | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 22:57:20 +1100 |
|
|
| On Tue, 18 Jan 2005 08:57:06 +0000 (UTC), Matthew Winn
wrote:
>> Surely there are some options here:
>> -Showing the expanded name (optionally).
>> -Alerting the user the first time they encounter such a URL and ask
>> them
>> if they are likely to visit pages with non-ascii domain names.
>
> What about the second time? You can't interrupt the user every time.
You can if they answer the question with a "no". I expect I'd answer with
a no and would only come across such a page very rarely if at all. They
could be blocked with as much pain as popups are now
If they answer with a yes then you can explain to them that any such URLs
will be shown in a particular fashion in future or something.
> How about punctuation? Are characters like the one-dot leader (U+2024)
> and the division slash (U+2215) valid in domain names?
(Are there unicode characters that look like _other_ unicode characters?
Argh, I'm sure there are headaches after headaches here, but at this stage
surely a partial solution that works for a lot of users is better than
nothing)
Paul
--
Using Opera's revolutionary e-mail client: http://www.opera.com/m2/
|
|
| | From: | Peter Karlsson | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 14:51:45 +0100 |
|
|
| Paul McGarry:
> If they answer with a yes then you can explain to them that any such
> URLs will be shown in a particular fashion in future or something.
The problem is just how to properly detect a confusing URL. The case of
non-latin + latin can be quite simple to detect, but there might be
legitimate uses of these URLs, too.
> (Are there unicode characters that look like _other_ unicode characters?
There are several characters in Unicode that look similar. A number of
them are disallowed from IDNA because they are just separate forms of the
other characters, wheras it in this specific case is the difference
between scripts, the latin letter o looks very much like the Cyrillic
letter о. Enough to be able to fool people that "amazоn.com" really is
"amazon.com".
This is quite similar to the case where people register domains like
"goggle.com" or "micr0soft.com", but potentially a lot more confusing.
--
\\// Peter Karlsson, software engineer, Opera Software
The opinions expressed are my own, and not those of my employer.
Please reply only by follow-ups in the newsgroup.
|
|
| | From: | Rijk van Geijtenbeek | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 11:15:42 +0100 |
|
|
| On Tue, 18 Jan 2005 08:57:06 +0000 (UTC), Matthew Winn wrote:
> On Tue, 18 Jan 2005 16:11:59 +1100, Paul McGarry
> wrote:
>> Presumably a "vulnerability" is anything that leads an unsuspecting user
>> to be vulnerable.
>>
>> While it may be per spec ultimatly Opera is the user agent and is first
>> in
>> line for looking after the users interests.
>>
>> Surely there are some options here:
>> -Showing the expanded name (optionally).
>> -Alerting the user the first time they encounter such a URL and ask
>> them
>> if they are likely to visit pages with non-ascii domain names.
>
> What about the second time? You can't interrupt the user every time.
>
>> -Something else
>
> Perhaps some sort of heuristic. It's not the use of Cyrillic or Greek
> letters that's the problem, but the use of those letters in the middle
> of a different part of the Unicode range. (The same problem occurs in
> the other direction, of course.) Perhaps there could be some sort of
> warning if and only if adjacent letters are from different character
> blocks. An exclamation mark appearing at the start of the address:
> click it for more information?
From RFC 3490:
"To help prevent confusion between characters that are visually
similar, it is suggested that implementations provide visual
indications where a domain name contains multiple scripts. Such
mechanisms can also be used to show when a name contains a mixture of
simplified and traditional Chinese characters, or to distinguish zero
and one from O and l. DNS zone adminstrators may impose restrictions
(subject to the limitations in section 2) that try to minimize
homographs."
Easier said then done...
--
The Web is a procrastination apparatus: | Rijk van Geijtenbeek
It can absorb as much time as | Documentation & QA
is required to ensure that you | Opera Software ASA
won't get any real work done. - J.Nielsen
|http://my.opera.com/Rijk/journal
|
|
| | From: | Matthew Winn | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 14:20:35 +0000 (UTC) |
|
|
| On Tue, 18 Jan 2005 11:15:42 +0100, Rijk van Geijtenbeek wrote:
> From RFC 3490:
>
> "To help prevent confusion between characters that are visually
> similar, it is suggested that implementations provide visual
> indications where a domain name contains multiple scripts. Such
> mechanisms can also be used to show when a name contains a mixture of
> simplified and traditional Chinese characters, or to distinguish zero
> and one from O and l. DNS zone adminstrators may impose restrictions
> (subject to the limitations in section 2) that try to minimize
> homographs."
>
> Easier said then done...
I don't think it's all that difficult to deal with multiple scripts.
All you need is a list of the lowest character numbers in each
character block, and give each block in the list a unique number:
0000 : 1
0250 : 2
0370 : 3
0400 : 4
0530 : 5
0590 : 6
0600 : 7
...
Then for each segment of the domain name:
Allocate an array of integers the same size as the segment.
For each character in the segment set the corresponding integer
in the array just allocated as follows:
If the character is a letter scan though the list of
character blocks and set the array element to the
unique number from the table above.
Otherwise set the array element to zero.
If there are any adjacent, different, non-zero values in the
array, warn the user.
It's not a particularly fast algorithm, but as it's only used when
the domain name in the address bar changes it doesn't need to be fast.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
|
|
| | From: | Peter Karlsson | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 15:31:54 +0100 |
|
|
| Matthew Winn:
> All you need is a list of the lowest character numbers in each character
> block, and give each block in the list a unique number:
Yes, this simplistic approach works fine until you come to the block of
Han characters, where forms used in traditional Chinese, simplified
Chinese, Japanese and Korean is all mixed together...
> If there are any adjacent, different, non-zero values in the
> array, warn the user.
Unfortunately, this would also warn for a Cyrillic domain name containing
digits, since the same digits are used as for latin text. Same applies for
Greek...
--
\\// Peter Karlsson, software engineer, Opera Software
The opinions expressed are my own, and not those of my employer.
Please reply only by follow-ups in the newsgroup.
|
|
| | From: | Matthew Winn | | Subject: | Re: New vulnerability? | | Date: | Tue, 18 Jan 2005 15:43:48 +0000 (UTC) |
|
|
| On Tue, 18 Jan 2005 15:31:54 +0100, Peter Karlsson wrote:
> Matthew Winn:
> > All you need is a list of the lowest character numbers in each character
> > block, and give each block in the list a unique number:
>
> Yes, this simplistic approach works fine until you come to the block of
> Han characters, where forms used in traditional Chinese, simplified
> Chinese, Japanese and Korean is all mixed together...
I'm thinking of an algorithm that will work for most situations, not
for every possible case. It's a starting point, not finished code.
If you have a situation where block 1 is used in language A, block 2
is used in languages A and B, and block 3 is used in language B, then
you have no choice but to add a special case to the code to check that
blocks 1 and 3 are not used together while allowing blocks 1 and 2 or
blocks 2 and 3 to be combined. There's no way to avoid that, but if
you can deal with most cases generically the number of special cases
you have to deal with is small.
> > If there are any adjacent, different, non-zero values in the
> > array, warn the user.
>
> Unfortunately, this would also warn for a Cyrillic domain name containing
> digits, since the same digits are used as for latin text. Same applies for
> Greek...
That's why I said "letters", not "letters and digits". The point is
to catch places where someone drops a fake letter into the middle of
a word, not to complain every time more than one character block is
used.
Besides, it's just a warning: "This domain has mixed character blocks,
so if it doesn't look as though it needs mixed character blocks you
should take care." It might be annoying if it's occasionally
overenthusiastic, but it's not fatal.
--
Matthew Winn
[If replying by email remove the "r" from "urk"]
|
|
|
