Posts Tagged ‘IDN’

Microsoft wins legal dispute over Bing.com IDN lookalike

November 3rd, 2010 by

A couple years ago I tried registering IDNs (Internationalized Domain Names) that were visually identical or similar to popular sites like mozilla.org, bing.com, and google.com. What I found was that I wasn’t the only one doing this. For me, it was just to demonstrate the possibilities for visual spoofing in modern user-agents, similar to what we saw in 2005 with the paypal.com spoof.

I don’t think this recent legal decision made the news anywhere, but Microsoft filed a complaint that a registered domain name www.bıng.com was confusingly similar to its www.bing.com brand. In case it’s hard to see, the issue here is with the dotless ‘i’ in the lookalike domain. In that domain, the registrant used Unicode character U+0131 LATIN SMALL LETTER DOTLESS I in place of the usual U+0069 LATIN SMALL LETTER I in bing.com.

Microsoft won the case on valid merits, and as far as we know there was no harm done. That is, I haven’t heard any news of a phishing attack that utilized this domain name. It’s easy to imagine the extent of harm possible through a phishing/luring/schmoozing/whatever attack that utilizes confusing IDNs across the context of email clients, web browsers, and other user-agents. A well-thought attack could be surprisingly effective.

Tags: ,
Posted in Unicode | No Comments »

IDNA2008 hits the standards track – visually confusing strings remain a threat

August 31st, 2010 by

After many years of engineering efforts, the Internationalizing Domain Names in Applications (IDNA) protocol had a major update released from its original 2003 standard. Although named IDNA2008, it hit the standards track in August 2010. It’s worth noting in section “4.4 Visually Confusable Characters” of RFC 5890:

It is worth noting that there are no comprehensive technical solutions to the problems of confusable characters. One can reduce the extent of the problems in various ways, but probably never eliminate it.

Taken out of context this may sound hopeless, but the RFC goes on to reference Unicode TR36 as providing a set of suggestions for mitigating string confusability. It’s in this vein that Casaba has built UCAPI which provides an implementation of the Unicode Consortium’s suggestions as well as defensive techniques from our own learnings.

I can imagine that we will one day see a wide-spread attack that leverages string confusability – or maybe – we won’t see it because it’ll blend in so well as to be undetectable.

New registrations of Internationalized Domain Names are expected to increase radicallly over time as ICANN has opened up ccTLD support for Unicode and IDN, as well as gTLD. As more TLDs become provisioned in native scripts, it’s expected that they will support the expansion of many more internationalized domain names.

What are registrars doing now to protect customers from lookalike attacks on their brand? Is it their responsibility? Who’s is it? Many organizations including ICANN are making suggestions, but is anyone listening?

Tags: ,
Posted in Tools, Unicode | No Comments »