Автор: Wendy M. Grossman
Дата: 07-05-03 17:52
URLs in Urdu? (Scientific American, 6/02) -- Multilingual web addresses have homographic hacking possibilities.
http://www.sciam.com/article.cfm?articleID=0005D6A3-3B91-1CDC-B4A8809EC588EEDF
Is this the Web address of tomorrow: ωωω.σχιαμ.χομ or россия.ру ? At the moment, non-Latin alphabets and scripts are not compatible with ASCII, the lingua franca of the Internet also known as plain text. But as of March only 40 percent of the 561-million-strong global online population were native English speakers, according to online marketing firm Global Reach. Work has been proceeding for some time, therefore, to internationalize the system that assigns domain names (sciam.com, for example) to the dotted clumps of numbers that computers use (such as 192.1.1.0).
The technical side of things has been managed by the Internationalized Domain Name Working Group of the Internet Engineering Task Force (IETF). In April, VeriSign, the single largest registrar of domain names, claimed to have registered about a million international names. But turning Web addresses into a multilingual forum may open the door to a dangerous new hazard--hackers could set up fake sites whose domain names look just like the ASCII version.
One example is a homograph of microsoft.com incorporating the Russian Cyrillic letters "c" and "o," which are almost indistinguishable from their Latin alphabet counterparts. The two students who registered it, Evgeniy Gabrilovich and Alex Gontmakher of the Technion-Israel Institute of Technology in Haifa did so to make a point: they suggest that a hacker could register such a name and take advantage of users' propensity to click on, rather than type in, Web links. These fake domain names could lead to a spoof site that invisibly captures bank account information or other sensitive details.
In their paper, published in the Communications of the ACM, they paint scary, if not entirely probable, scenarios. For instance, a hacker would be able to put up an identical-looking page, hack several major portals to link to the homographed site instead of the real one, and keep it going unnoticed for perhaps years.
On a technical level, homograph URLs are not confusing. International domain names depend on Unicode, a standard that provides numeric codes for every letter in all scripts worldwide. And at its core, the internationalization of the domain name system is a veneer: the machines underneath can still only read ASCII.
According to the proposed standard, the international name will be machine-translated at registration into an ASCII string composed of an identifying prefix followed by two hyphens followed by a unique chunk of letters and numbers: "iesg--de-jg4avhby1noc0d," for example. This string would be translated back into Unicode and compared with the retranslation of the original. So right now anyone using a standard browser can easily see the difference between an internationalized domain name and an ordinary one.
This situation, however, is temporary. Technical drafts by the IETF state that users should not be exposed to the ugly ASCII strings, so increasingly users will have little way of identifying homographs. Computer scientist Markus G. Kuhn of the University of Cambridge notes that for users to be sure they are connected to the desired site, they will have to rely on the secure version of the Web protocol (https) and check that the site has a matching so-called X.509 certificate. "That has been common recommended practice for electronic banking and commerce for years and is not affected by Unicode domain names," Kuhn observes. Certification agencies (which include VeriSign) ensure that encoded names are not misleading and that the registration corresponds with the correct real-world entity.
But experience shows that the Internet's majority of unsophisticated users "are vulnerable to all kinds of simple things because they have no concept of what's actually going on," explains Lauren Weinstein, co-founder of People for Internet Responsibility. Getting these users to inspect site certificates is nearly impossible. Weinstein therefore thinks that a regulatory approach will be necessary to prohibit confusing names. Such an approach could be based on the current uniform dispute resolution procedure of the Internet Corporation for Assigned Names and Numbers (ICANN), the organization that oversees the technical functions of handing out domain names. But it will require proactive policing on the part of the registrars, such as VeriSign, something they have typically resisted.
But are international domain names even necessary? Kuhn, who is German, doesn't think so: "Familiarity with the ASCII repertoire and basic proficiency in entering these ASCII characters on any keyboard are the very first steps in computer literacy worldwide." Internationalizing names might succeed only in turning the global network into a Tower of Babel.
The Author:
Wendy M. Grossman, a frequent contributor on information technology, is based in London.
URL: http://www.pelicancrossing.net/index.htm
|
|
