Gecko engine based browsers have spoofing flaw

By Derek Sooman on February 8, 2005, 4:05 PM
Just about every browser out there - and, funnily enough, NOT Internet explorer - seems to have a spoofing flaw. Apparently, itís been discovered that anything built on the Gecko engine will allow the spoofing of an URL in the address bar, SSL certificate and status bar. Firefox, Opera, Mozilla, Netscape, Camino, OmniWeb, Safari and Konqueror are all affected.

The flaw is due to an unintended result of the implementation of International Domain Names which permits the use of international characters in domain names.

According to Secunia, this could be exploited by registering domain names with certain international characters that resembled other commonly used characters, thereby causing the user to believe he or she was on a trusted site.




User Comments: 7

Got something to say? Post a comment
ruaric said:
The rendering engine is irrelevant. The display of URLs in the address-bar is a component of UI rather than the rendering engine. All browsers that support IDN (internationalised domain names) in their address bars are affected. Those that do not support IDN are not. For example the k-meleon browser (http://kmeleon.sourceforge.net/). This is built on the latest Gecko rendering engine but as it does not support IDN so it remains unaffected. Also if Internet Explorer has Verisign's i-Nav plug-in installed it too is susceptible. Finally other browsers that are built on other rendering engines such as the Opera browser (uses the Presto engine), Konqueror (uses the Khtml engine), Safari (uses Webcore, a variant of khtml) and Omniweb (uses Webcore) are affected because of their support for IDN not because of their rendering engine.Clearly the problem is with the IDN system. The default installation of Internet Explorer only escapes because it does not support the latest internet standards, in this case IDN.
Phantasm66 said:
To be honest with you, I would have to take your word for it - browser programming is really not my area (so far :) ) and really I was just going on the source article. You sound very knowledgable in this area, and perhaps you could post some more, explaining the nature of this flaw as you see it, and why its not engine related. I find all of this very interesting, so even if you can point us towards some urls and stuff I would be grateful.
ruaric said:
Ok, first of all you might be better convinced if I provided you with a simple demonstration of why you don't need the Gecko engine to be susceptible. Also why Internet Explorer would fail if only it met current internet standards. Verisign make a plug-in called i-Nav which allows Internet Explorer to use IDNs in its address bar (and hence makes it susceptible to this problem). If you have Internet Explorer installed on your machine (which assuming you don't use Linux or a Mac is probably the case) try installing this plugin (you can remove it latter). It also adds IDN support to Outlook. It can be found here:[url]http://www.idnnow.com/index.jsp[/url]Rather than go into a load of detail I'll take you up on your offer and refer you to some links with more information. To be honest the best place for information on this (and indeed most subjects IMHO) is probably to Wikipedia. Here are some links to save you some time looking around.If you want to find out how IDNs (Internationalized Domain Names) work I recommend you you check out the link below to an article on Punycode and a second one on Internationalizing Domain Names in Applications:[url]http://en.wikipedia.org/wiki/Punycode[/url
[url]http://en.wikipedia.org/wiki/IDNA[/url]Further general information about IDNs can be found here:[url]http://en.wikipedia.org/wiki/Internationalized_dom
in_names[/url]Firefox, Mozilla, Camino and K-Meleon use only the Gecko rendering engine. Gecko was a new engine written from scratch for what was to be the Netscape Communicator 5.0 suite (never released). [url]http://en.wikipedia.org/wiki/Gecko_(layout_engine)[/url
(this article in turns links to articles about each of the above browsers)The Netscape Browser, whilst currently using the Gecko rendering engine, will have the capability of switching to the Internet Explorer rendering engine (Trident), at the users discretion, in a future release.Further information about the Netscape Browser can be found here:[url]http://en.wikipedia.org/wiki/Netscape_Browser[/url
Konqueror uses the the khtml rendering engine by default. This was created for it by the KDE project. It can optionally use the Gecko engine but typically this is not used by the average Konqueror user.Further information about the khtml rendering engine go here:[url]http://en.wikipedia.org/wiki/KHTML[/url]Safari and Omniweb use the WebCore rendering engine. This is a variant of khtml. Neither browser is able to use another rendering engine at this stage. However Omniweb did in the past use its own proprietary rendering engine. It switched to the WebCore engine at the 5.0 release.Further information about WebCore can be found here:[url]http://en.wikipedia.org/wiki/WebCore[/url][url]htt
://developer.apple.com/darwin/projects/webcore/[/url]Furth
r information about Omniweb can be found here:[url]http://en.wikipedia.org/wiki/OmniWeb[/url][url]htt
://www.omnigroup.com/applications/omniweb/[/url]The Opera browser uses it's own proprietary rendering engine known as Presto. Opera is not able to switch between rendering engines.Further information about the Opera browser and Presto rendering engine can be found here:[url]http://en.wikipedia.org/wiki/Opera_(browser)[/url]
url]http://www.opera.com/[/url]Hope that helps![Edited by ruaric on 2005-02-10 04:16:16]
ruaric said:
After further investigation I have discovered I have done the K-Meleon team a disservice. It can indeed access and use IDNs. However it seems the default font that it uses for its address bar will not correctly show certain Unicode characters, hence in the exmaple given by the original researchers www.paypal.com shows up as www.payp?l.com (making it obvious it is a fraud). However it still demonstrates that browser with the same rendering engine can show the same site differently within the address bar.
ruaric said:
I have suggested elsewhere a possible solution for this problem:[url]http://www.panix.com/~ruari/browser_spoofing_so
ution.html[/url]I'll repost it here as it is on topic and might be of interest to some of you. It goes like this:When a user browses a bookmarked or frequently visited domain a 'star' (or some other simple symbol) appears at the end of the URL (or next to where the SSL Padlock icon appears in the browser). The user could now easily identify that they are indeed browsing on one of their favoured websites. The browser itself is able to know this because it can grab a list of domains from the users bookmarks and look in the users history to see frequently accessed domains, for example sites accessed on more that 10 separate occasions (this figure could be set to something more suitable, it is just an initial guess at a good figure).If you are a Paypal user for example you are likely to have Paypal bookmarked or at the very least you will probably visit it regularly. If some website or email links to a fake Paypal then when the site loads the star will be missing from the address bar field since it will be the first time you have used this fake site. Hence it is easy for the user to see something is wrong. Hopefully users would get used to the idea that their favourite sites always display a star in the address bar, so this would start to become obvious.Maybe it would require educating the users about what the star is and why it appears there but this had to be done when the SSL padlock was first added to the browser. I reckon people would pick this up in no time.I have suggested this on the Opera forums (I'm an Opera user). I may also suggest it on some of the Mozilla forums. Even if Firefox/Mozilla did not make it default perhaps someone could create a plugin (which is currently beyond me).I have had some criticisms of the idea. For example someone pointed out that the first time you visit a new safe website no star would be present. Also, not all people use bookmarks extensively. My response has generally been along these lines:When you first visit a site you don't know if you can trust the site anyway. I'm usually cautious of new sites the first few times. I am that little bit more nervous about giving them personal data or credit card information hence I check the site out more carefully. I bet most people are the same. Furthermore after you have come back and used that site a few times and hence presumably are happy with it, it would move to one of your most frequently visited sites (or you might even bookmark it). After this point a star would display.Regarding bookmarks, it is true that many people don't use bookmarks and in the age of Google you might even say why bother but many people do and if people knew that by bookmarking a site they could later verify it was the same site they had been to previously they may be willing to start bookmarking again, even if only for financial sites. Instead of bookmarking (or even in addition to bookmarking) you might also have the option of clicking on a button to say, "remember this as a known domain name", form that point on it would also show a star.It does not solve all issues but it makes it a damn sight easier to pick out when you are on a fake version of one of your favourite sites, which is the main issue as far as I can tell. Also, it requires little user effort (worst case, you do the one time action of bookmarking the sites you are worried might be spoofed).Finally an extra advantage of this method is that it helps prevent other types of spoofing, for example when fraudsters substitute ASCII characters (e.g. '0' for 'o').Anyway if you think it is a good idea feel free to spread it around as a suggestion to anyone who you think might be influential in development of any of the popular browsers. Or anyone good at writing plugins!
Phantasm66 said:
Thanks, this is a lot of very good information, and a very good read :)
Load all comments...

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.