[Kristoff]

I'm not sure how many people are aware of this, but I thought I'd point it out.
Currently, there is a vulnerability in the way Safari handles International Domain Names, which allows an attacker to spoof a URL using a Homograph Attack.

In other words, it just became easier to fall for phishing schemes.

I suggest switching to a recent Camino nightly until the issue is resolved.

Safari users, here's a demo:

To see what I mean, visit paypal.com.

Not what you were expecting to see, eh?

Here's the real paypal.com.

For more info on this attack, see The Shmoo Group

[Randman]

Originally posted by Kristoff:
I suggest switching to a recent Camino nightly until the issue is resolved.

Uhh, no thanks.

[CaptainHaddock]

Just don't click on any moronic links in your email from Paypal, eBay, and bank fraudsters.

A fool and his money are soon parted.

[F_Elz]

is omniweb safe? I know Opera is

[Randman]

No web browser will protect you from stupidity.

[F_Elz]

oh...

[Thinine]

Actually, I believe this is more of a DNS issues, as it allows domains that are spelled and appear identical, but have different Unicode characters for certain letters. So while it may be prudent for browser makers to do something to warn users about this, it's up to the DNS server maintainer to fix it.

Oh, and welcome to last month.

[Kristoff]

God dammit.

You people are amazing.

I post a serious issue, and all I get is a bunch of stupid ass quips.


"fool and his money"

"no browser will protect you from stupidity"

"welcome to last month"

Blah blah blah.

It's obvious you guys didn't read the advisory or pay attention to anything that I said.

Thinine, It's not a DNS issue, it's a browser issue. Period, end of story. Read the article.
Safari renders the URL incorrectly, and Camino and others do not.

This has nothing to do with being stupid or a fool.

I routinely get payment reminders from all of my financial institutions as do millions of people every day.

It was easy to spot phishing attacks that looked like this:

http://www.americanexpress.com:/inde...yourmoney.html

because you'd indeed have to be stupid to fall for that.

This attack is different in that an SSL certificate can be purchased using the same homograph and the person using Safari will never know they are not at the correct domain.

It's obvious that the severity and implications of this issue are over your heads, or that you didn't bother to read it, or you wouldn't come here insulting someone who was just trying to give people a heads up.

[TETENAL]

Originally posted by Kristoff:
Thinine, It's not a DNS issue, it's a browser issue. Period, end of story.

This is not a browser issue. The browser behaves exactly as it's supposed to behave. Some characters just look like another; there is nothing you can do about that. Just don't click a link to "PayPal" from some obscure e-mail you get and asks for your personal information.

[Kristoff]

Ah...another person who didn't read the article.

It is a browser issue. Period, end of story.

Read it for your self. The browser should display the character as they are (like Camino does). Safari displays them incorrectly.

[OptimusG4]

It's the browser. Using a firefox nightly, mousing over the first paypal link displays the correct site that it's pointing to in the status bar. Using Safari 1.2.4, the status bar just shows paypal.com, not the real domain.

[Kristoff]

Finally, a voice of reason!

All hope is not lost!

[TETENAL]

Originally posted by OptimusG4:
It's the browser. Using a firefox nightly, mousing over the first paypal link displays the correct site that it's pointing to in the status bar. Using Safari 1.2.4, the status bar just shows paypal.com, not the real domain.

The whole point of the Unicode domain names is to show the URLs in international characters, not the underlying ascii thing. A browser that shows the Unicode name is behaving correctly.

[OptimusG4]

Originally posted by TETENAL:
The whole point of the Unicode domain names is to show the URLs in international characters, not the underlying ascii thing. A browser that shows the Unicode name is behaving correctly.

Understood. Not trying to start a war, but it is kinda nice to have that feature in Firefox to prevent this crap. In the status bar, I couldn't tell the difference of the links in Safari, and I'm only 24. Imagine a 63 year old grandma clicking on a link to paypal and entering in her info. Ah well

[TETENAL]

Originally posted by OptimusG4:
Understood. Not trying to start a war, but it is kinda nice to have that feature in Firefox to prevent this crap. In the status bar, I couldn't tell the difference of the links in Safari, and I'm only 24. Imagine a 63 year old grandma clicking on a link to paypal and entering in her info. Ah well

Usually phishing attacks are done via an e-mail, so what would be shown in a status bar of the browser is irrelevant. Grandma needs to understand that any e-mail asking for her personal/account information is an attempted fraud. If her "bank" called via phone she wouldn't give away her information too. The same alertness as in the real world is needed in the internet.
If you type in the addresses of you bank, paypal, ebay etc. you are save from such an attack. Don't follow links from obscure webpages or mails.

[Kristoff]

Perhaps the email is crafted EXACTLY like a legitimate payment reminder and the link goes to a page that looks exactly like the login screen to BoFA (or whatever).

The email itself isn't requesting the info...just reminding you that your normal payment is due.

The average person clicks on the link to make the payment.

The normal person would see a URL that looks right, and the SSL Lock icon is there, but now, they have just entered their username and password into a hackers database.

How would they know the difference?

Are you suggesting that every 63 year old grandma should now view the raw message source of their emails to be sure that it's not a Unicode domain name attack? That's rediculous.

The point is that Camino and Firefox protect against this, Safari does not.

[OptimusG4]

It's fixed now

[CaptainHaddock]

The latest domain name scare aside, phishers will always be trying new things to trick you into visiting their websites and giving up your personal info. Just remember these very simple, obvious rules:

1. Your bank will never send you an email asking you to log in to a special page to update your account information.

2. The real eBay will never email you, demanding that you update your account info.

3. The real Paypal will never email you, demanding that you update your account info.

4. Nigerian royalty does not actually need your help getting their money out of the country.

5. Spam is always, always trying to take advantage of you.

If people simply *thought* for a moment before blindly clicking links, they would be safe. This rule is a good one to learn just in general, and it's especially useful when checking mail. Fortunately, I think Mac users as a segment of the public are less at risk than Windows users, just 'cause we're a little more tech-savvy. After seeing all the adware some Windows lusers put up with, it's no surprise they click on spam links!

[Kristoff]

I wonder why Apple issued a fix for Safari if it wasn't a browser issue?

It is indeed fixed in Security Update 2005-003 in the form of--surprise--an update to Safari.

Haddock, while your rules are sound, in this case they wouldn't have helped.

In my case, BankA sends me an email (complete with a link) every month to remind me that my mortgage payment is due.

BankB sends me an email (complete with a link) every month to remind me that my auto loan payment is due.

It's not an issue as long as you verify the SSL cert and the URL of the form you are logging in to.

We all know too well how easy it is to forge email headers.
Under the exploit, it was impossible to protect yourself from the scenario I outlined in my previous post without viewing the raw message source of the emails to verify that it wasn't a fraudulent forgery of a legitimate reminder designed to steal usernames and passwords--because the URL and SSL cert were not rendered correctly.

Now, with the fix, it's a non-issue.

The fact is that it was a serious and undefensible (under normal operating circumstances) exploit in Safari, and I think Apple validated the concern by going through the trouble of fixing what you and the other nay sayers in this thread would have (incorrectly in this case) lead us to believe was simply an issue of promiscuous computer usage.

How can you verify a URL and SSL cert if the browser displays it incorrectly?

Anyway, it's a dead horse now, thanks to Apple for fixing it.

[zzarg]

Apple may have fixed this issue... but in doing so they've fubar'd Safari for me and a trickle of other people (more posts appearing on various forums as the install base grows I guess)

Oh well... Firefox is now my default browser - I can click links and authenticate on web sites (the latter isn't a new problem, it's an old one)

[TETENAL]

Originally posted by OptimusG4:
It's fixed now

They didn't fix it, they have broken it. Now you can not view cyrillic URLs in Safari at all any more.

[Kristoff]

Originally posted by TETENAL:
They didn't fix it, they have broken it. Now you can not view cyrillic URLs in Safari at all any more.

They did fix the exploit.
There's a difference between not fixing something and breaking something else.
Too bad they caused a regression error--that's lame on their part.

[Chris O'Brien]

Originally posted by TETENAL:
They didn't fix it, they have broken it. Now you can not view cyrillic URLs in Safari at all any more.

Does this help?

[TETENAL]

Originally posted by Kristoff:
Too bad they caused a regression error--that's lame on their part.

The regression isn't an error actually. The fix was to partially turn off international domain names support. You can turn on those scripts again, but that exposes you to this problem again. As I said, if you support international domain names (completely needs to be added now), then the fact that different URLs look the same is correct browser behavior.

Anyway, this now doesn't happen any more by default in Safari, but nevertheless I would still advise to caution. Some people have mentioned that their banks are sending them e-mails (which I find odd, but whatever). I still suggest to never click any links in such mails. When your bank (or PayPal, eBay etc.) sends you such a mail, switch to the browser and type in the bank's address manually to access the site.

[JLL]

Originally posted by Kristoff:
I wonder why Apple issued a fix for Safari if it wasn't a browser issue?

It is indeed fixed in Security Update 2005-003 in the form of--surprise--an update to Safari.

No, the exploit isn't fixed. IDN support for certain scripts are now turned off which means that you can't see IDN domains correctly in those scripts.

And I wouldn't call it a Safari issue either - it's a flaw in how IDN works.