The first thing that strikes is that the IDN/Shmoo thing
is not a bug but is a feature. It's doing what it was
intended to do. Indeed, one of the browser manufacturers
said that in the Shmoo advisory (but just saying that is
not a sufficient response!).
We've always been able to copy domain names and create
similar looking ones. That's a feature or a bug in the
wider social construct known as _written language_, and
there is little that the browser or the Internet can
do to change that. And in fact the browser is supposed
to work with this, which is what the IDN is all about!
This is a key essence in phishing, and the Shmoo bug is
just an example of how phishing will occur. The wider
issue is nothing new. What's more, we will never be
able to assume that a cert is unavailable for these
domain names. There's no way that a CA in one corner
of the world can understand that a brand name in another
is being copied.
The way to deal with this is to have the user and the
browser work together and use the knowledge and trust
that the user has in her head.
(I will assume that SSL is indicated here because it is
important.) What the browser has to do is to show the
user several things:
1. Who the CA is that signed the cert. (Note that this
alone would have covered Shmoo, as PayPal do not
use USERTRUST.)
2. What the user previously knew/set about that site.
Remember, the user knows her trusted sites. She is the
one that trusts Bank of America, not the CA and not
the browser manufacturer. So when she goes to her bank,
she can designate that bank as "her bank". Even if she
types in the words "this is my bank," that's a good
enough start (this is called a petname).
Better would be an icon, sort of like a favicon, but it
has to be tied to the certificate, and it has to be
assigned and accepted by her, elsewise the spoofer simply
copies the public info on the website.
The best way to do this is to show the logo of the CA
(can be shipped in the browser for added security)
alongside a logo for the bank that the user selected
when she first visited the bank in SSL form. Those
logos should appear on the chrome, in a position that
can't be touched by the HTML. Logos form visual cues
in the brain that are subconsciously processed, whereas
words are filtered out.
Then, when the spoof BunkOfAmerika turns up, the HTML
might look the same, but the browser should treat this
is an untrusted site - no logos because the cert seen
(if any) doesn't have any logos selected.
iang
PS: this is a revised version of what I blogged over at:
http://www.financialcryptography.com/mt/archives/000336.html
and all the imagery is on that paper at:
http://www.cs.biu.ac.il/~herzbea//Papers/ecommerce/spoofing.htm
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
