ÿþ<html>

<head>

<title>The Homograph Attack</title>

<link rev="made" href="mailto:gabr@cs.technion.ac.il">

<meta http-equiv="Content-type" content="text/html;charset=utf8">

</head>



<body>



<h1>The Homograph Attack</h1>

<p>

This page presents an example of 

<a href="homograph_full.pdf"><em>The Homograph Attack</em></a> described 

by <a href="http://www.cs.technion.ac.il/~gabr">Evgeniy Gabrilovich</a>

and <a href="http://www.cs.technion.ac.il/~gsasha">Alex Gontmakher</a>.

(See "The Homograph Attack", <em><a href="http://www.acm.org/cacm">

Communications of the ACM</a></em>, 45(2):128, February 2002. 

Click <a href="homograph_full.pdf">here</a> for the full-length paper in PDF,

or <a href="http://www.csl.sri.com/users/neumann/insiderisks.html#140">here</a> 

for the HTML archive of the CACM <em>Inside Risks</em> column at SRI).



<p>

To prove the feasibility of this kind of attack, we legally 

registered (at <a href="http://www.register.com">Register.com</a>)

a homographic variant of the domain name <em>"Microsoft.com"</em>

which incorporates Russian language characters.



<p>

Here is the forged name

<a href="http://www.miAr>s>ft.com">http://www.miAr>s>ft.com</a>

and here is the real thing

<a href="http://www.microsoft.com">http://www.microsoft.com</a>.<br>

<strong>Can you tell the difference ?</strong>



<p>

Here is another <a href="http://www.shmoo.com/idn">example</a> and 

the accompanying <a href="http://www.shmoo.com/idn/homograph.txt">IDN advisory</a>.



<h3>Important note</h3>

Most browsers currently need a special client application <em>iClient</em>

distributed by <a href="http://www.i-dns.net">i-DNS.net</a> in order to handle 

multilingual domain names. Also, some browsers might display this name in 

a garbled way (encoded in the ASCII/English version of the international 

characters as <tt>bq--at7w373jih7xepx7om7p6zx7oq.com</tt>). Naturally, when 

the multilingual infrastructure implementation is finalized, the name 

will be displayed correctly.



<h3>We are in the news !</h3>

Here is a brief list of articles that discuss our idea:

<ul>

<li><a href="http://www.globes.co.il/serveen/globes/docview.asp?did=885424&fid=942">

    "Technion researchers warn: Faking websites is easier than ever"</a><br>

    <em><a href="http://www.globes.co.il">Globes Online</a>, February 2005</em><br>

<li><a href="http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/ShowFull&cid=1108524042894">

    "Creating phony Web sites is easier than ever"</a><br>

    <em><a href="http://www.jpost.com">The Jerusalem Post</a>, February 2005</em><br>

<li><a href="http://www.theregister.co.uk/2005/02/10/unexpected_attack_vector">

    "Beware the unexpected attack vector"</a><br>

    <em><a href="http://www.theregister.co.uk">The Register</a>, February 2005</em><br>

<li><a href="http://www.pcworld.idg.com.au/index.php/id;1052848683;fp;2;fpid;1">

    "Experts: International Domain Names May Pose Threat"</a><br>

    <em><a href="http://www.pcworld.idg.com.au">PC World</a>, February 2005</em><br>

    Also featured in

    <ul>

    <li><a href="http://www.infoworld.com/article/05/02/08/HNdomainnamethreat_1.html">InfoWorld</a>

    <li><a href="http://www.computerworld.com.au/index.php/id;1052848683;fp;16;fpid;0">ComputerWorld</a>

    </ul>

<li><a href="http://www.microsoft.com/mspress/books/toc/5957.asp">

    "Writing Secure Code", Second Edition</a><br>

    <em>Microsoft Press, 2002, ISBN 0-7356-1722-8</em>

<li><a href="http://slashdot.org/articles/02/05/28/0142248.shtml">

    "Spoofing URLs with Unicode"</a><br>

    <em><a href="http://slashdot.org">Slashdot.org</a>, June 2002</em>

<li><a href="http://www.sciam.com/article.cfm?articleID=0005D6A3-3B91-1CDC-B4A8809EC588EEDF&catID=2">

    "URLs in Urdu?"</a><br>

    <em><a href="http://www.sciam.com">Scientific American</a>, June 2002</em>

<li><a href="http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/">

    "Secure Programming for Linux and Unix HOWTO"</a>

    (see <a href="http://www.tldp.org/HOWTO/Secure-Programs-HOWTO/semantic-attacks.html">

     Section 6.16 "Foil Semantic Attacks")</a><br>

    <em>March 2002</em>

<li><a href="http://www.icann.org/committees/idn/idn-codepoint-paper.htm">

    "Briefing Paper on Internationalized Domain Names (IDN) Permissible Code 

     Point Problems"</a><br>

    <em><a href="http://www.icann.org">The Internet Corporation for Assigned Names 

    and Numbers (ICANN)</a>, February 2002</em>

</ul>



<h3>Disclaimer</h3>

The example domain name

(<a href="http://www.miAr>s>ft.com">miAr>s>ft.com</a>)

was only registered as a feasibility proof of the described attack.<br>

"Microsoft" is a registered trademark of 

<a href="http://www.microsoft.com">Microsoft Corporation</a>.



<hr size=2>



<p>

<em>

<a href="http://www.cs.technion.ac.il/~gabr">Evgeniy Gabrilovich</a><br>

<a href="mailto:gabr@cs.technion.ac.il">gabr@cs.technion.ac.il</a>

</em>

</p>



<p>

<em>Last updated on July 28, 2006</em>

</p>



<!-- Start of StatCounter Code -->

<script type="text/javascript" language="javascript">

var sc_project=1750525; 

var sc_invisible=1; 

var sc_partition=16; 

var sc_security="df591dee"; 

</script>



<script type="text/javascript" language="javascript" src="http://www.statcounter.com/counter/counter.js"></script><noscript><a href="http://www.statcounter.com/" target="_blank"><img  src="http://c17.statcounter.com/counter.php?sc_project=1750525&amp;java=0&amp;security=df591dee&amp;invisible=1" alt="hit tracker" border="0"></a> </noscript>

<!-- End of StatCounter Code -->



</body>

</html>