Attacks on Firefox [LWN.net]

Linux detractors often say that, if and when Linux becomes as popular as Windows, it will attract just as many attacks - and prove just as vulnerable. The popularity of Linux exceeds that of Windows in some areas, but, so far, these attacks have not materialized. It is now beginning to look like this upsurge in attacks may not target Linux directly. Instead, the Firefox browser may become the target of choice.

Eric Johanson recently put out an advisory demonstrating how "homograph attacks" can work against Firefox (and Konqueror). These attacks take advantage of international domain names, which can be written in non-ASCII character sets. The problem is that many non-ASCII characters are rendered just like (or very nearly like) characters in the ASCII set; as a result, a visually identical domain name can actually point somewhere unexpected. An example provided by Mr. Johanson is www.pаypal.com, which your browser renders as www.pаypal.com. This technique, clearly, could be used for phishing attacks - especially when one considers that SSL certificates can contain non-ASCII characters too. It is said that a short-term workaround for this problem is to turn off the network.enableIDN parameter in the about:config screen, but this workaround does not work for all users, and it does not persist across sessions.

Meanwhile, "mikx" has posted a set of three different Firefox vulnerabilities. "Fireflashing" is a trick that, in conjunction with the Flash plugin, can be used to trick a Firefox user into changing configuration parameters. The "firedragging" vulnerability gets around some restrictions to possibly allow a (Windows) user to put a web-supplied executable file onto the desktop. And "firetabbing" circumvents the isolation between sites when links are dragged to different tabs. All of these vulnerabilities have been acknowledge by the Mozilla Project and fixes have been committed.

These attacks are not truly devastating. They make certain kinds of phishing and social engineering attacks easier, but, hopefully, should not fool suitably careful users. But they do show that the level of interest in Firefox vulnerabilities is on the increase.

Attacking many parts of a Linux system is hard. Security is generally reasonably good, one hopes, and techniques like privilege minimization, privilege separation and sandboxing help to contain any vulnerabilities which do exist. The sheer variety of deployed Linux systems also works against attackers; an exploit which works on one system may be useless against the next. The role of diversity in ensuring the security of Linux systems should not be underestimated.

Firefox, however, is widely deployed and quite similar on all systems. If nothing else, the project's trademark policies tend to ensure that Firefox deployments will not vary much. Firefox contains interpreters which will certainly contain exploits of the "write once, run anywhere" variety. Firefox is directly controlled by users who may have little interest in - or knowledge of - security policies. And, in many (perhaps most) cases, it talks directly to random sites all over the net. So of course Firefox is being eyed as a possible entry point to otherwise secure systems.

The Firefox browser is popular for a reason: it is a solid, highly featureful, highly useful program. It is also a huge and complex program. Regardless of the skill of the Mozilla hackers, verifying and maintaining the security of a code base that large is going to be a major challenge. Expect some interesting times over the next few years as the security claims made by the Mozilla Project - and by the free software community in general - are put to the test.

(Log in to post comments)

Homographic attacks

Posted Feb 10, 2005 1:19 UTC (Thu) by eru (subscriber, #2753) [Link]

They are a result of a feature in the Unicode character set standard that can strike any browser or other application, not just Firefox. If two characters look the same but are interpreted differently, there is very little the user can do. Probably the internationalized domain name handling should be modified to require that the string is first normalized so that all characters that look the same or even very similar are collapsed to one code point. For example, Latin, Greek and Russian versions of 'o' should all be considered the same for the purpose of looking up addresses.

Attacks on Firefox

Posted Feb 10, 2005 1:24 UTC (Thu) by fergal (subscriber, #602) [Link]

What about "p"? The greek letter rho might fool some people so with 2 "a"s and 2 "p"s in paypal already that's 15 fake versions. Who knows how many other homographs there are for the letters in "paypal". Leaving it up to each company to buy all the possiblibilities is expensive and error prone. A far more reasonable idea is that it be impossible to register any of the hompographs of already existing domains.

Until then, the browsers should should highlight any characters in the domain name that are outside the user's language's script.

Attacks on Firefox

Posted Feb 10, 2005 5:47 UTC (Thu) by ekj (subscriber, #1524) [Link]

Yeah. You're rigth. It's not really a bug. I mean, if the two letters really do look like that, how is firefox (or any other program) supposed to render them ?

The real question is if makes sense for the domain system to allow the registering of visually identical, or very nearly identical names.

The problem offcourse is that there's no simple criteria for what is identical (or nearly so) it depends, among other things, on the fonts the user is using. In some fonts l and I are indistinguishable, should we therefore disallow the registeing of paypai.com on the basis that if written with a capital I (DNS is not case-sensitive) then in some fonts www.paypaI.com look indistinguishable from www.paypal.com ?

There are no simple answers here...

Attacks on Firefox

Posted Feb 10, 2005 9:15 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

You could use color to indicate the character set. If all characters are in the same set, they get the default background color (eg, white). Characters from a second set get a different color (eg, red), from a third set yet a different color (eg, green), etc. If you want to mark non-ASCII character sets used consistently, you could optionally color the whole thing red or put a small icon or piece of text indicating that it's a non-ASCII address. I don't know how easy this would be to do, but it would certainly stand out.

Fonts and indentical chars

Posted Feb 11, 2005 5:26 UTC (Fri) by eru (subscriber, #2753) [Link]

There are no simple answers here...

A perfect solution is hard or impossible to find, but I think a solution that at least does not make the situation any worse than it is with plain-ASCII names is not at all that hard. Combining characters that in most fonts are identical or practically identical ignoring language (as I proposed above) would achieve that.

Having capital-I and lowercase-L look same in some fonts is a problem of the font, really, and smart designers should use maximally legible fonts in the lines that show or input URL:s. I remember that in old days many Telex machines used a font where lowercase-L had a little hook at bottom to ensure it was different from uppercase-I. Might be a good idea to use it in browsers. (Wonder if there is a X11-compatible implementation of this font anywhere?)

Fonts and indentical chars

Posted Feb 25, 2005 9:00 UTC (Fri) by QuisUtDeus (guest, #14854) [Link]

What about an option (adjustable according to visual accuity) of showing the number of times the browser has followed a link to a given site and/or domain.

For example: a pop-up box that would say [www.paypal.com - 120 visits / *.paypal.com - 150 visits] vs. [www.paypa1.com - 0 visits / *.paypa1.com - 0 visits].

It could be configurable to stop it if there have been so many visits, or if the name is published in a maintained list of common sites/domains.

Attacks on Firefox

Posted Feb 11, 2005 5:30 UTC (Fri) by mp (subscriber, #5615) [Link]

No, you certainly are not wrong.
But IIRC the problem is in some ways old news.
I mean, it was being pointed out since the work on IDN started
that homographs are there. I guess phishing was not sufficiently popular a few years back.

Attacks on Firefox

Posted Feb 13, 2005 8:38 UTC (Sun) by ordonnateur (guest, #6652) [Link]

"not a fault in the browser" yes indeed.

As the example of 1 and lower case l (see below) shows this problem can apply to plain ASCII.
What makes Paypal different from paypa1? Especially to those with imperfect eyesight. (Diffrent colours for different char sets etc is no help to the colour blind.)
What if the (true) company had chosen to call itself paypa1?
All the proposed technical fixes merely ameliorate what is essentially a social and legal problem.
'paypal' is true and 'paypa1' false because the second is fairly easy to decide in court of law as a case of what is known in English law as "passing off".
Browsers, or any other software, cannot do the work of judges. They cannot even do the work of the lawyers' "reasonable man" who would have cause to bring the case to court.
A full solution requires action from domain name registrars and the vendors of certificates.

Attacks on Firefox

Posted Feb 17, 2005 5:36 UTC (Thu) by pdundas (subscriber, #15203) [Link]

> (Diffrent colours for different char sets etc is
> no help to the colour blind.)

It's a good default display method to show differences.
Accessibility requires that there be a backup method of conveying that information too (use of styles should make that quite straightforward).

The more important question is whether all languages can be expected to use a single unicode "charset" (or maybe a subset of related charsets) - if not, it's a less generally useful technique.

> All the proposed technical fixes merely ameliorate
> what is essentially a social and legal problem.

It's called defence in depth. You deploy a range of approaches to reduce the problem. Consider that we make theft illegal AND ALSO lock our front doors.

In this case technological means can help, but it is also a requirement that certifying authorities and registrars NOT REGISTER abusive phishing-style names. How widely enforced that will be is not clear, but a few fines and imprisonments for facilitating fraud may encourage the others.

A full solution requires lots of things to be done. There is no single "right answer".

Attacks on Firefox

Posted Feb 13, 2005 17:32 UTC (Sun) by inverter (guest, #19022) [Link]

As happened various times in the past, another software failure predicted by DJB: http://cr.yp.to/djbdns/idn.html

Unicode indefensible---Schneier

Posted Feb 14, 2005 8:53 UTC (Mon) by Max.Hyre (subscriber, #1054) [Link]

I see no one has pointed out that Bruce Schneier was worried about this almost five years ago, and worried about more than just social engineering. In his Crypto-Gram of 15 July 2000, the section titled Security Risks of Unicode includes observations such as

The philosophy behind the Unicode spec is to provide all possible useful characters for applications that are 8- or 16-bit clean. This is admirable, but it is nearly impossible to filter a Unicode character stream to decide what is "safe" in some application and what is not.

Sound excessive? You should read the article.

Oops, wrong position

Posted Feb 14, 2005 8:57 UTC (Mon) by Max.Hyre (subscriber, #1054) [Link]

Sorry, I should have attached that to eru's comment, a good ways above.