<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>Highlight Groups in Address Book</h6>
<p><p>Want to see which groups one or more contacts belong to? Select them and then press the Option key. Address Book highlights the groups of which the selected contacts are members.</p></p>
</div>
<div class="tearoffbox_wide_bottom_tips">
<div style="padding-bottom:35px"><div class="tip_display" style="float:left"><p><br><a href="/tipbits/157">Link to this tip</a></p></div><div class="tip_display" style="float:right; width:150px">
<p class="credit">Written by<br><a href="/author/Adam%20C.%20Engst">Adam C. Engst</a></p></div></div>
<div class="tbf_wide_80" id="hc_rc_6593">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_6593"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_6593', 'hc', '6593'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">14 Feb 2005 | <a href="/article/7983?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<div id="article_box_6593"><P>The clever folks at the Shmoo Group, a bunch of interesting security folks who punch holes in assumptions about what's secure on the Internet, have discovered a simple way to fool most browsers into believing that they've connected to a secure Web site when they've been spoofed into connecting to a rogue location with a different name. It's ironic, but Internet Explorer is entirely exempt from this spoof. Opera, Safari and KHTML-based browsers, and all Mozilla and Firefox browsers suffer from this weakness on all platforms.</P><P><<A HREF="http://www.shmoo.com/">http://www.shmoo.com/</A>><BR><<A HREF="http://www.shmoo.com/idn/homograph.txt">http://www.shmoo.com/idn/homograph.txt</A>></P><P>In brief, the Shmoos found that a poorly implemented method of allowing international language encoding within domain names, called International Domain Name (IDN) support, allows a malicious party to display what appears to be one domain name in the Location field of a browser while connecting you to another. Phishing scams have just become more difficult to identify.</P><P>This exploit is made possible by a system called "punycode," which has been widely adopted according to the Shmoo Group. Domain names that use characters outside of unaccented Western alphabet letters via Unicode/UTF-8 are converted into a string of Roman letters (see Matt Neuburg's "Two Bytes of the Cherry: Unicode and Mac OS X" for more information on Unicode). This conversion isn't a problem, per se: it means that domain names outside of the English character set can be used freely without confusing browsers and can be registered using simple English characters for backwards compatibility within the domain naming infrastructure.</P><P><<A HREF="http://db.tidbits.com/series/1217">http://db.tidbits.com/series/1217</A>></P><P>The flaw is twofold: first, affected browsers display whatever the encoded version of the character is, which might look identical to another language's character. For instance, the Shmoos use the Russian lower-case letter A, which is encoded as "&1072;" in UTF-8 using decimal (base 10) notation, and displays in browsers that support IDN as a lower-case A indistinguishable from a Roman lowercase A.</P><P><<A HREF="http://www.fileformat.info/info/unicode/char/0430/">http://www.fileformat.info/info/unicode/char/ 0430/</A>></P><P>The second problem leads from the first: it's possible to have a legitimate SSL (Secure Sockets Layer) digital certificate for the punycode-based domain name. Thus, in an example that the Schmoos posted for a while (now replaced), you see "https://www.paypal.com/" in your browser URL field, and the SSL signals are all there - you get no warnings, the lock icon is present, and Firefox's Security tab in the Page Info window says the Web site's identity is verified.</P><P>Click View in that same tab in Firefox, and you'll see the full punycode name of the Web site, however, which is "www.xn--pypal-4ve.com". Copy the URL from the Location field and paste it into Terminal, and you'll see the encoded version in standard UTF-8 format, too, which looks like "www.p&1072;ypal.com".</P><P>I don't know that there's an easy solution to this problem. It's the result of choice by the developers of the various browsers to display precisely what a Unicode character looks like, which is reasonable enough. But at the same time they use a kludgy, opaque hack in the background to map that Unicode character to an English character to provide full backwards compatibility with what was once a U.S.-centric domain naming system, one that retains substantial vestiges of that history.</P><P>If you're a Firefox user, I recommend obtaining and installing a utility called SpoofStick, which alerts you to what is being called "homograph" spoofing; that is, the character or glyph looks like another, unrelated glyph. If you visit the Shmoo site with SpoofStick installed, you get a big lovely warning.</P><P><<A HREF="http://www.corestreet.com/spoofstick/">http://www.corestreet.com/spoofstick/</A>></P><P>Trust has gone out the window when you follow links in email or on Web sites. There's no longer a way to be sure that the domain name you're visiting is the one you think you are unless you check the URL out in Terminal or have SpoofStick installed.</P><P>Realistically, the upshot of this situation is that you must be even more careful about following links you receive in email to sites that ask for sensitive information. A message that purports to be from PayPal customer service, for instance, may look right and even use URLs that appear to connect to PayPal's site, but could in fact be taking you to another site designed to capture your username and password. The likelihood of falling victim to a spoofed URL on the Web itself is less likely, assuming you start from a site that's a relatively trusted source. When in doubt, fall back on common sense and check the URL by pasting suspect URLs into Terminal to see if they're concealing any unusual Unicode characters. Hopefully we'll see browser fixes soon: simply displaying the full punycode-based domain name alongside its actual representation would at least highlight what's happening behind the scenes without interfering with navigation or Web pages.</P><!-- Don't Trust Your Eyes or URLs Glenn Fleishman --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://macte.ch/conf_tidbits"><IMG SRC="http://db.tidbits.com/images/badges/mactech-twitter-icon-48x48.jpg" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>MacTech Conference, for IT Pros and Apple developers, is Nov 3-5,<br />in Los Angeles. The 3-day event is packed with sessions & evening<br />activities. Learn from the best. Meet and spend time with peers.<br />TidBITS readers save $50 at <<a href="http://macte.ch/conf_tidbits">http://macte.ch/conf_tidbits</a>>!</div>
