Re: Q: How can you tell when a web font technology gone mainstream? from Jonathan Kew on 2019-01-14 (public-webfonts-wg@w3.org from January 2019)

From: Jonathan Kew <jfkthame@gmail.com>
Date: Mon, 14 Jan 2019 13:33:08 +0000
To: public-webfonts-wg@w3.org
Message-ID: <b20d9124-7333-7aff-17d4-2f75b52a53a6@gmail.com>

On 14/01/2019 12:44, Levantovsky, Vladimir wrote:
 > A: When a major security research company discovers that scumbags are
 > now using it for their phishing campaigns!
 > (https://www.siliconrepublic.com/enterprise/phishing-web-fonts-fake)

This doesn't seem particularly interesting to me. It sounds like they 
used a (web)font with a scrambled encoding in order to disguise content 
that otherwise might have been noticed by some kind of scanner or 
security product; but there are already countless ways of obfuscating 
the content that a user will end up seeing, so that scanning page 
sources isn't much of a defence anyway.

E.g. if I want to create a phishing page for Big Bank Corp, but I don't 
want a security product to see this string when it scans the source of 
the page, I could just use Unicode to do

   &#x202E;giB&#x202C;&#x200E; &#x202E;knaB&#x202C;&#x200E; 
&#x202E;proC&#x202C;

instead, without needing JS hackery or even CSS to disguise the text.

Or for a CSS hack that doesn't require a webfont to disguise the text, 
we could do

  <style>
   .a::before { content: "B" } .a::after { content: "g" }
   .b::before { content: "B" } .b::after { content: "k" }
   .c::before { content: "C" } .c::after { content: "p" }
  </style>
  <span class=a>i</span> <span class=b>an</span> <span class=c>or</span>

Good luck detecting that with a page-source scanner.

So - sure, a custom webfont can be used to "disguise" text so that its 
apparent content when seen by the human visitor is quite different from 
the underlying encoded text. That's hardly news - we were abusing custom 
fonts like that years before Unicode was even part of the game - and 
doesn't significantly change the security landscape, afaics.

If someone were able to use a webfont to change the display of URLs (or 
page titles, etc) within the browser UI (rather than the content of the 
page), that would be a different story - although if that were to 
happen, I'd regard it as a browser bug rather than a flaw in the webfont 
technology.

JK

 >
 > I must admit that using webfonts as a substitution cypher is a clever
 > idea, and I can see some potentially good uses for it (imagine building
 > a secure communication channel where a cypher is switched
 > algorithmically by e.g. using different font style/weights), but it also
 > begs another question to be asked – were we too optimistic when we
 > declared DSIG to be of no significant importance for webfonts / WOFF2?

Suppose we required webfonts to have valid DSIG signatures, or something 
like that. What difference would it make here? None, afaict; the bad guy 
could just sign the font and proceed in exactly the same way. A 
signature does nothing to guarantee that the font resource isn't going 
to mislead the reader.

 > And, do we need to update “Security considerations” section knowing that
 > webfonts could be a much more treacherous grounds than we previously
 > imagined?
 >
 > Thanks,
 >
 > Vlad
 >

Received on Monday, 14 January 2019 13:33:33 UTC