Foreign Character Friendly Domain Names - Security Threat?
Here is an article from BBC about the testing of an enhancement to the current domain name system that allows the use of Internationalized URLs.
The tests were carried out by the Internet Corporation for Assigned Names and Numbers (Icann) that oversees the running of the net’s addressing system. Currently net domains, such as bbc.co.uk, can only be written with 37 characters from the Roman alphabet which includes the letters A-Z, numbers 0-9 and the hyphen.
This can cause problems in nations such as China where many new net users have scant knowledge of that character set. The tests carried out by Icann involved up-to-date versions of the live master address books, or root servers, that direct users’ computers to the actual location of an internet domain.
This is not exactly new as domain providers and countries have already been providing Internationalized Domain Names (IDN) support as a workaround to the current ASCII limits for domain names. For example, I have been using the domain http://www.杨怀义.com/ domain for this blog too. The biggest threat to this kind of system is phishing attacks. The introduction of internationalized character sets can open systems to homograph attacks.
Different logical characters may have identical or very similar appearances in different character sets. For example, Unicode character U+0430, Cyrillic small letter a (”а”), can look identical to Unicode character U+0061, Latin small letter a, (”a”) which is the lowercase “a” used in English. Technically, characters that look alike in this way are known as homoglyphs (a subgroup of homographs). Spoofing attacks based on these similarities are known as homograph spoofing attacks.
Ok. Phishing attacks are not new. The use of SSL certificates can provide some level of protection for really security-aware providers. However, a lot of phishing attacks target the non-tech saavy users with or without IDN. IDN just increases the number of possible characters to use and thus increase the possibility of finding a deceptively similar homograph for a popular website. There are projects that attempt to resolve the phishing problem. However, like SPAM, the solution to this does not seem to be within the horizon.
