Last week on of my readers, Louis Roberge of Canadian web host and online services company Six Dot Net Informatique Inc
wrote to me about a very serious exploit of the International Domain Name (IDN) feature that permits spoofing of secure legitimate sites.
Louis is in charge of customer relations at his ISP and wants to know what steps to take to help his customers be more secure.
At this web site http://secunia.com/multiple_browsers_idn_spoofing_test
you can see a spoof of an eBay web site. The URL or web site in your web browser will read “eBay.com” but the content is from another web site – imagine the scams and hacks that could go on.
Louis explained that about four years ago, the IDN feature was included in all Mozilla web browsers, except for Internet Explorer. Microsoft’s lagging to implement the feature just turned into an advantage. This feature was implemented in browsers to permit the use of international characters in domain names but it also permits its use for registering spoof sites.
The flaw was brought to the attention of browser developers and DNS registrars on January 19, 2005 and it was published last Sunday February 6. The possibilities of exploit are endless and are only limited to hacker’s and phisher’s imaginations.
I turned to technology consultant Lynn Berstein, ECG Inc for advice.
Lynn advised that the easiest way to protect yourself is to NOT click on a web link from an email message but instead type the web site address yourself. If you get an email that reads, “Go to PayPal.com” – DO NOT go to PayPal via that address in the email message. Instead open your web browser and type the web site address in yourself.
Lynn gave me the following URL (it’s safe!) http://www.boingboing.net/2005/02/06/shmoo_group_exploit_.html which shares input from “good-hackers” who have fixed this issue in the web browser Firefox by disabling support for international characters in domain names.
She writes further This is not an issue for Network Solution or Verisign (or any other domain name registration) it is an ICANN (the entity that manages domain names) issue totally. ICANN makes the rules, the registries and registrars just follow the rules.
A couple of years ICANN decided on recognizing international domain names and Verisign (who owns Network Solutions) was the first to implement this feature.
Technology cannot protect everyone from everything and even when technologists tell the public, most don’t listen or follow the advice. People have to learn to take responsibility for themselves and their actions. Most companies try hard to get out all the bugs before release but they will never get rid of all of them first. We just have to learn to live with it. Also hackers are the first to look for any exploits and we have to live with that too.
We also need to teach non-techs how to be careful and hope they listen.
Web link to: Six Dot Net Informatique Inc.