A suggested 'possible' fix for IDN URL spoofing
Ruari Callow
of IDN spoofing. It is a combination of ideas I have seen elsewhere. What
are people's thoughts?
The first time a IDN URL is used pop up a message informing that IDNs can
be used to mimic ASCII/traditional URLs (along with some explanation as to
how) but that they can also perfectly valid URLs (used in international
domains). Then give the user three options, available via radio boxes
(this should also be customisable latter via the preferences).
1) Ignore this message and never inform me again. Allow IDN URLs to be
displayed unchanged.
2) Ignore this message and never inform me again but show all IDN URLs in
a green* font.
3) Do nothing. The same popup warning will occur the next time an IDN URL
is accessed.
Optionally, you may also want to add some hints as to which option is most
appropriate for the user. i.e. 1 is for confident advanced users who wish
to deal with this issue by their own means and don't want the browser
displaying IDNs any differently. 2 is for users who frequently use IDN
websites but want a little hint that they are surfing such a site. That
way if www.mybank.com ever turns green and wasn't before then they should
be alarmed. Surfing other sites with green URLs will not inconvenience
them in any way (they will just note the green tint to the URL). Finally
option 3 is for people who rarely/never surf IDN sites or find this all
very confusing, they will be informed/reminded each time they encounter an
IDN site. (Perhaps this should probably be the default selected option,
let more experienced users pick one of the other two).
*The reason for green font is that green typically has a positive
connotation, unlike say red and we don't want to imply that IDNs
themselves are bad. Possibly a darker green so that they are easy on the
eye and only look slightly different from normal URLs (just enough to
notice). as an added bonus you may want to make the IDN URL colour
changeable via preferences.
--
The email address this message was posted from is valid but will expire.
If you want to contact me several days after my posting you can find a
contact email address on http://ruari.com/
rja.ca...@excite.com
Unless I missed it, you forgot, "Don't open that URL, because I
miskeyed, or I don't trust it."
But I still prefer making the split be between URLs for sites you've
previously / recently visited and those that you haven't - since rrally
the risk is in mistaking one for the other, I think. For exact URLs,
this is a matter of enforcing a specific meaningful colour for visited
hyperlinks. (Maybe colour the mouse pointer, when the page itself has
its own colour scheme.) But I'd also want a regular eBay user to get a
strong feedback cue on any eBay link - clearly distinct from eßay, you
see?
I note with interest the news of work being done in this field with
proxy servers.
There is a separate but congruent question of risk of possible
compromise of DNS service itself. And I think I recently heard of at
least one worm which causes correct bank Web page requests to be served
from criminals' servers tinstead of the actual bank.
And let's face it, if we can't count on seeing "Paris in the
the spring" as fallacious when we look at it, it's best not
to trust any URL which looks okay but isn't from a trusted
source. Trust is often fractional, anyway.
Ruari Callow
> But I still prefer making the split be between URLs for sites you've
> previously / recently visited and those that you haven't - since rrally
> the risk is in mistaking one for the other, I think. For exact URLs,
> this is a matter of enforcing a specific meaningful colour for visited
> hyperlinks. (Maybe colour the mouse pointer, when the page itself has
> its own colour scheme.) But I'd also want a regular eBay user to get a
> strong feedback cue on any eBay link - clearly distinct from eßay, you
> see?
Ok, I had some new thoughts. How about ALL new domain names are coloured
differently (e.g. green, #00cc00) in the browser address bar and over time
as they are more used the colour gets closer and closer to black. For
example they are coloured #00cc00 in the address field for the first three
times a given domain name is used. The next 6 times they are coloured with
#006600. On the tenth time (and thereafter) URLs for the domain are
coloured black (since they are clearly trusted or the user would not keep
going back to them). If the user was to click on a spoofed URL for a
trusted site such as a bank, either due to Unicode character subsituation
or even ASCII subsituation (e.g. '0' for 'o') then the URL would appear
bright green which could trigger them to know something is up, i.e. a
thought process along the lines of "Green is for new URLs, why is my bank
showing with a green URL. Could it be spoofed??"
Ruari Callow
> Ok, I had some new thoughts. How about ALL new domain names are coloured
> differently (e.g. green, #00cc00) in the browser address bar and over time as
> they are more used the colour gets closer and closer to black. For example
> they are coloured #00cc00 in the address field for the first three times a
> given domain name is used. The next 6 times they are coloured with #006600.
> On the tenth time (and thereafter) URLs for the domain are coloured black
> (since they are clearly trusted or the user would not keep going back to
> them). If the user was to click on a spoofed URL for a trusted site such as a
> bank, either due to Unicode character subsituation or even ASCII subsituation
> (e.g. '0' for 'o') then the URL would appear bright green which could trigger
> them to know something is up, i.e. a thought process along the lines of
> "Green is for new URLs, why is my bank showing with a green URL. Could it be
> spoofed??"
Hate to follow up my own post but someone on the Opera forums (where I
also posted this) pointed out that many people are colour blind. This is a
good point and leads me to the following.
It doesn't actually, have to be a colour change (though I suspect even
someone colour blind might notice this as a change from grey to solid
black). There could be a growing meter/bar notifying how often a given
domain has been visited. Even a number displayed somewhere (you have
visted www.yourbank.com 20 times in the last 30 days). Any of these would
give an obvious visual clue that a spoofed domain is fake. If suddenly
www.opera.com started showing as having never been visted before how many
of you would think something is up?
Ruari Callow
In Opera 8 beta a star is displayed in the URL drop down to allow you to
pick out one of your top 10 sites. Why not keep a star displayed someone
in the broswer when viewing one of your top 10 (or even better top 50)
sites? Obviously a spoofed URL would not show this star since it would be
the first time you visited it!
Ruari Callow
Also have the star displayed when a bookmarked site is visited. This will
handle most of the sites that aren't visited regularly but are known to
the user. (If you want to keep the same colour format as the rest of the
Opera UI in beta 8 then the star could be orange if a top visited site and
the green if only bookmarked).
The star could be displayed where the padlock currently appears on secure
sites or if the site is known to the user (frequently visited and/or
bookmarked) in addition to being secure then have the star and padlock
next to one another.
This would actually be a great feature IMHO and would once again show that
Opera is at the fore front. Think about it, users would just get used to
looking for the star in the same way they look for the padlock now. The
spoofers have no way of making this star appear since it is the first time
you visited their site. A dead giveaway!
rja.ca...@excite.com
I think the criteria are tough: I don't want an indicator that makes
visiting new Web sites by Google-venture difficult or unpleasant, but
at the same time, a cue that something may be wrong should be clear.
Subconscious.
In colour, ZoneAlarm pops up windows requesting net access on behalf of
applications (or something like that) coloured green for a previously
allowed application, red for a new one, yellow for a program that has
changed - like when you install Opera 7.54u2 over 7.54u1.
So I'm thinking about the mouse cursor changing colour, or flashing
black/white when you point at a URL - slow, medium, fast, for visited
never, seldom, often. I'm not sure how subtle such colouring should
be.
Perhaps the indicator should also hint at how different a URL is from
the last one that you visited. Say a link goes to a part of Amazon
that you rarely use, such as banking (if they have banking)?
And it occurs to me now that if you regularly use Google - or tinyurl -
then their cache and redirection functions make URL comparison
meaningless for distinguishing frequently and rarely visited sites,
unless they are made special cases. If a malicious route starts by
going to Google cache of a malicious page while looking like Your Bank,
Inc., how to ring the alarm?
Perhaps a standard could be established of including
"CountTowardsFrequentVisitorConfidenceIndicator=NO" when appropriate in
URLs or in metadata. I don't see tinyurl accepting it in URLs!
Perhaps the default had better be NO, unless a site sends YES.
Perhaps we should use other methods to validate connections to
important Web sites. Certificates?
Ruari Callow
> I think the criteria are tough: I don't want an indicator that makes
> visiting new Web sites by Google-venture difficult or unpleasant, but
> at the same time, a cue that something may be wrong should be clear.
> Subconscious.
Did you read my posting on using the Star that Opera uses for
bookmarks/top visited sites? The idea being that if you are visiting a
bookmarked or frequently visited site a star appears, placed where the
padlock or rss feeds are listed in the address bar URL field now. (if a
site is secure and bookmarked/frequently visited then the star appears
next to the padlock).
If you are a Paypal user for example you are likely to have Paypal
bookmarked or at the very least you will probably visit it regularly. If
some website or email links to a fake paypal then when the site loads the
star will be missing from the adress bar URL field since it will be the
first time you used the site. Hence it is easy for the user to see
something is wrong.
Would this make visiting new web sites difficult or unpleasant? I don't
see how it would. They would just be missing the star, which simply
indicates that they are new to you (which you knew anyway). It would not
affect your broswing in anyway. A missing star implies that you might want
to treat the site with a bit more caution that one of your favourite
sites, something I would naturally do anyway!
In summary it does not solve all issues but it makes it a damn sight
easier to pick out when you are on a fake version of one of your favourite
sites, which is the main issue as far as I can tell.
aurora
> Hate to follow up my own post but someone on the Opera forums (where I
> also posted this) pointed out that many people are colour blind. This is
> a good point and leads me to the following.
>
> It doesn't actually, have to be a colour change (though I suspect even
> someone colour blind might notice this as a change from grey to solid
> black). There could be a growing meter/bar notifying how often a given
> domain has been visited. Even a number displayed somewhere (you have
> visted www.yourbank.com 20 times in the last 30 days). Any of these
> would give an obvious visual clue that a spoofed domain is fake. If
> suddenly www.opera.com started showing as having never been visted
> before how many of you would think something is up?
I'd like to join the discussion because I'm developing an open source
desktop search engine MindRetrieve [http://mindretrieve.berlios.de/]. It
is primary designed for searching the web pages you have seen. But since
it is implemented as a HTTP proxy, it may also be used as a guard between
the browser and the WWW. And since it keep a history of web pages and
domain you have visited, it can provide users a clue or alert on new
domains.
The UI I have in minds is more passive. Since MindRetrieve is designed as
a non-intrusive transparent proxy, everything start with a click on the
bookmarklet. The current URL is used to query against the user database
and the history info can be presented. So the user start off by loading
the URL in question. Before entering the username and pasword the user
design to give it a check to make sure, so he clicks the bookmarklet. It
he find that it is the bank he has bookmarked he can login with
confidence. On the other hand MindRetrieve may tell him the site is
loading for the first time (for example by showing a red bar). Then the
user have to make a decision whether he want to find out more about this
site before loggin.
A more proactive tool is the Netcraft toolbar. It actually would block
users from loading suspicious web pages according to their database. But
it runs on IE and mozilla only.
Any opinion? If you want give the current release 0.4.0 a try note that it
does not yet have the bookmarklet function I've described.
CrazyTerabyte
wrote:
> Ok, I had some new thoughts. How about ALL new domain names are coloured
> differently (e.g. green, #00cc00) in the browser address bar and over
> time
> as they are more used the colour gets closer and closer to black. For
> example they are coloured #00cc00 in the address field for the first
> three
> times a given domain name is used. The next 6 times they are coloured
> with
> #006600. On the tenth time (and thereafter) URLs for the domain are
> coloured black (since they are clearly trusted or the user would not keep
> going back to them).
This can be exploited easily. Just make a framed site with the spoofed URL
inside. Make it reload some times, make user click sometimes, or find some
way to force the untrusted URL be considered trusted.
I think the "trustness" should be manually set by user, more or less like
Wand works.
rja.ca...@excite.com
Well, the frame itself has to be a spoof, too - or maybe you use it for
pornography preview sites, so a lot of users have it "frequently
visited". Then you use it to wrap the fake bank.
Incidentally, another attack reported is to use a frame or something to
present the /real/ bank, and to float on top of it a popup window that
asks for user name and password. Victims assume that the popup came
from the bank.
> I think the "trustness" should be manually set by user, more or less
like
> Wand works.
This is why I want trust to be based on (some) bookmarks.
How does the wand behaviour interact with frames? I.e., if a frameset
includes pages you know about and pages you don't?