February 07, 2005

Firefox first blood - bug allows any domain to be "owned"

Over at something called the Shmoo conference, an exploit was announced that effects all browsers except including IE. Florian reports that spam is already circulating attacking IE. If you want to test it, and see what happens, browse over to http://www.shmoo.com/idn/ and click on the links. (Solution is below, also see BoingBoing suggested fix .)

Don't worry, nothing bad happens to you, this time. And don't be unduly alarmed as in practice, this is no more distinct an attack than ordinary phishing. To be exploited, you have to be sent a link in email or chat, and you have to click on it. Don't do that. If you still feel threatened ... browse over to BoingBoing and follow the instructions - this turns off IDN support, which disables the code paths that the bug exploits.

What is much more interesting is that this seems to be 'first blood' for Firefox - their first big security bug after the recent massive success of Firefox 1.0. It was always going to happen - all code has bugs, right? - and now is as good a time as any.

The major problem that's going to strike here is that this is not a bug. Yes, I know I said it was a bug, and now I'm changing my mind.... Let me explain: it's a not-bug,
or a not-a-bug-but-a-feature.

The IDN - international domain name - concept allows names to be created that do non-english lettering. As an artifact of this, you can do english lettering, but in a non-english character set. Which means that anyone can craft any other domain and also request a certificate in it.

But, anyone could already do that. We've known for a long time that paypa1.com was available as a domain (notice the digit one '1' at the end!). This is simply yet another way to create a near-perfect copy of a domain name. Not only is it simply yet another way ... it's one of a string of them including future mechanisms that we can only dream of right now.

So, the first thing to understand is that domain names can be copied. And we can't really stop that.

How then does the user defend herself? Or, better yet, how does the user and the browser working together stop being fooled?

Simple. (I will assume that SSL is indicated here because it is important.) What the browser has to do is to show the user several things:

1. Who the CA is that signed the cert.
2. What the user previously knew/set about that site.

Those two simple things will give the user powerful tools. Remember, the user knows her trusted sites. She is the one that trusts Bank of America, not the CA and not the browser manufacturer. So when she goes to her bank, she can designate that bank as "her bank". Sort of like a bookmark or a favicon, but it has to be tied to the certificate, and it has to be generated by her, elsewise the spoofer simply copies the public info on the website.

The best way to do this is to show the logo of the CA (can be shipped in the browser for added security) alongside a logo for the bank that the user selected when she first visited the bank in SSL form. Those logos should appear on the chrome, in a position that can't be touched by the HTML.

Then, when the spoof BunkOfAmerika turns up, the HTML might look the same, but the browser should treat this is an untrusted site - no logos because the cert seen (if any) doesn't have any logos selected.

Posted by iang at February 7, 2005 07:51 AM | TrackBack

Uh-oh, Internet Explorer is affected by the same bug, and it was actively exploited. Just look for spam mail advertizing ro1ex.com and va1ium.com.

In other words, this is not a browser bug. You just can't infer the authenticity of a web site based on its name (or its SSL certificate).

Posted by: Florian Weimer at February 7, 2005 12:25 PM

Hey Ian,
This is one of a whole class of bugs to be found in the firefox code base...

go to www.spoofstick.com for a firefox extension that performs independent verification of the website being currently viewed.

suprised the schmoo.com kids didnt pick up on this one...

BTW no bucks no buck rogers(to quote RAH)

M and I WONT make dominica at the end of the month.. will you??

you know the address already to return mail

warm regards,
gwen hastings

Posted by: gwen hastings at February 8, 2005 09:35 PM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.