W3C home > Mailing lists > Public > public-iri@w3.org > November 2009

Re: phishing in IRIs

From: Martin J. Dürst <duerst@it.aoyama.ac.jp>
Date: Tue, 24 Nov 2009 15:21:56 +0900
Message-ID: <4B0B7B84.5070301@it.aoyama.ac.jp>
To: Shawn Steele <Shawn.Steele@microsoft.com>
CC: Larry Masinter <masinter@adobe.com>, "PUBLIC-IRI@W3.ORG" <PUBLIC-IRI@w3.org>, Pete Resnick <presnick@qualcomm.com>, Ted Hardie <ted.ietf@gmail.com>
Hello Shawn,

On 2009/11/24 13:58, Shawn Steele wrote:
>
>> what I wanted to say is that when it comes to phishing/spoofing with
>> IRIs, the main place that actually happens are the IDNs in the IRIs, not
>> the other parts of an IRI (scheme/path/query).
>
> I would disagree with this as well :)
>
> http://secure.com/paypal is another technique, and there the path is used to provide the misdirection.

Well, of course, but what I'm saying is that for most domain names, this 
isn't actually possible. As an example, the only indication I have that
 
http://microsoftontheissues.com/cs/blogs/mscorp/archive/2009/11/23/partnering-with-the-white-house-on-educate-to-innovate.aspx
is indeed related to Microsoft is that I got to it using a link from a 
microsoft.com page. On the other hand, for a page such as
    http://www.microsoft.com/about/legal/default.mspx
I am rather confident that nobody at Microsoft would *dare* to spoof 
this with something like
    http://www.microsoft.com/about/1egal/default.mspx
and that nobody outside Microsoft would *be able* to do it.

So trying to spoof the path is indeed another technique, but in most 
cases, it doesn't work because there is a single authority in control of 
all the paths on the same domain. So that's why I'm saying that the main 
place where spoofing can happen in IRIs is the IDN part.

Of course I agree with you that we should exclude spoofing issues from 
the upcomming WG, except for discussing them in the security section.

Regards,    Martin.

> Even when the domain name's being abused, current attacks seem to rarely use IDN, it's simply not needed because the users aren't careful (or don't know how to be careful) anyway.
>
> I think the impracticality of a secure IRI might make an interesting paper, or BCP, however IDN is just a (small) part of that.
>
> - Shawn

-- 
#-# Martin J. Dürst, Professor, Aoyama Gakuin University
#-# http://www.sw.it.aoyama.ac.jp   mailto:duerst@it.aoyama.ac.jp
Received on Tuesday, 24 November 2009 06:22:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 30 April 2012 19:51:55 GMT