The Homograph Attack
This page presents an example of
by The Homograph Attack Evgeniy Gabrilovich
and Alex Gontmakher.
(See "The Homograph Attack", , 45(2):128, February 2002.
Communications of the ACM here for the full-length paper in PDF,
for the HTML archive of the CACM Inside Risks column at SRI).
To prove the feasibility of this kind of attack, we legally
a homographic variant of the domain name "Microsoft.com"
which incorporates Russian language characters.
Here is the forged name
and here is the real thing
Can you tell the difference ?
Here is another
the accompanying IDN advisory.
Most browsers currently need a special client application iClient
distributed by i-DNS.net in order to handle
multilingual domain names. Also, some browsers might display this name in
a garbled way (encoded in the ASCII/English version of the international
characters as bq--at7w373jih7xepx7om7p6zx7oq.com). Naturally, when
the multilingual infrastructure implementation is finalized, the name
will be displayed correctly.
We are in the news !
Here is a brief list of articles that discuss our idea:
"Technion researchers warn: Faking websites is easier than ever"
Globes Online, February 2005
"Creating phony Web sites is easier than ever"
The Jerusalem Post, February 2005
"Beware the unexpected attack vector"
The Register, February 2005
"Experts: International Domain Names May Pose Threat"
PC World, February 2005
Also featured in
"Writing Secure Code", Second Edition
Microsoft Press, 2002, ISBN 0-7356-1722-8
"Spoofing URLs with Unicode"
Slashdot.org, June 2002
"URLs in Urdu?"
Scientific American, June 2002
"Secure Programming for Linux and Unix HOWTO"
Section 6.16 "Foil Semantic Attacks")
"Briefing Paper on Internationalized Domain Names (IDN) Permissible Code
The Internet Corporation for Assigned Names
and Numbers (ICANN), February 2002 Disclaimer
The example domain name
was only registered as a feasibility proof of the described attack.
"Microsoft" is a registered trademark of
Last updated on July 28, 2006