Phishing - Browser-based Defences
見解/翻訳/版 0.3 - 2005-02-09
The 核心 problem of phishing can be 表明するd as follows: a 使用者 has been phished when they think they are communicating with an (独立の)存在 they know and have a 関係 with, when in fact they are communicating with a malicious 攻撃者. Once the 攻撃者 has the 犠牲者 fooled, he can 試みる/企てる to 抽出する 価値のある (警察などへの)密告,告訴(状) such as usernames, passwords, or credit card 詳細(に述べる)s.
The browser, as the 乗り物 圧倒的に used for high value 処理/取引s, is at the 最前部 of the phishing war. This paper discusses browser-based approaches to mitigating the problem, and 示唆するs three changes - "Domain Hashing", "New 場所/位置" and "Phish Finder".
Other approaches to phishing are possible - for example, one could argue that 予防 of class 5 attacks (see below) is 完全に the problem of the domain 指名する registrars. However, such approaches are outside the 範囲 of this paper.
Phishing URL Classes
Phishing URLs can be 分類するd into the に引き続いて five classes:
- An IP 演説(する)/住所, e.g. http://192.168.1.1/
This relies on the 使用者 ignoring the URL 妨げる/法廷,弁護士業 完全に, or 存在 混乱させるd by its 複雑さ. - A 完全に different domain, e.g. https://www.randomdomain.com/
This relies on the 使用者 just not looking at the domain at all. - A plausible-sounding but 偽の domain, e.g. https://www.paypal-安全な・保証する.com
This relies on the 使用者 not knowing their exact 目的地. - A 明白な-to-the-注目する,もくろむ letter substitution, e.g. https://www.paypa1.com
This relies on the 使用者 not looking too closely at individual letters. - An HTTP login, e.g. https://www.paypal.com.../@https://www.evil.com/
Some browsers already 警告する about this. - An invisible letter substitution (punycode attack), e.g. https://www.xn--pypal-4ve.com
This sort are 現在/一般に almost undetectable.
解答 必要物/必要条件s
Phishing is, at heart, a problem of 訂正する 身元確認,身分証明. So good 解答s will be those which make the 使用者 more 確信して of where they are, and make it easier to notice when it's somewhere they 港/避難所't been before. I believe that browser-based anti-phishing 対策 need to have the に引き続いて 特徴.
解答s MUST be based on SSL. The browser needs to know for 確かな where it is, before the 使用者 has any hope of knowing. This means SSL - the 産業-基準 way of a browser 存在 確かな that the 場所/位置 sending it data is the same 場所/位置 it thinks it is requesting data from. Any 直す/買収する,八百長をする which does not 伴う/関わる SSL is a 禁止(する)d-援助(する). In fact, 供給するing anti-phishing UI on 非,不,無-SSL 場所/位置s may より悪くする the 状況/情勢, as having the anti-phishing UI 明白な only when the 関係 is 安全な・保証する is a good 指示する人(物) - with 完全にする absence of the UI elements meaning "be 怪しげな".
解答s should be general and 連係させた. It's no good having one UI widget which goes blue in the presence of a type 3 attack, and another which changes 形態/調整 for a possible type 5. All forms of phishing should be considered, and a 一貫した and organised 返答 made.
解答s should ideally be self-含む/封じ込めるd. 解答s which 要求する the browser to go to a third-party server to help make the 決定/判定勝ち(する) are hamstrung if that server goes 負かす/撃墜する - OCSP has this problem. Even if the server is up and responsive, page 負担 can be 延期するd because その上の 網状組織 一連の会議、交渉/完成する-trips are necessary. It also 要求するs that the third-party server be 持続するd.
解答s should 避ける 差別 against persons or groups. We shouldn't 差別する against punycode domain 指名するs as a class, because that's 差別するing against 使用者s of 非,不,無-Latin alphabets. We also shouldn't 差別する against 人気がない or low-traffic 場所/位置s - that's 不公平な on small 商売/仕事s.
解答s should be 提携させるd with the 使用者's 願望(する) to do 最小限 work. 保護するing the 使用者 is our 職業; passing it off to them and making them work to 保護する themselves means both that we've failed, and that it won't get done. 使用者s have a high 見解(をとる) of their own 無(不)能 to be fooled - no-one thinks "wow, I'm a real 襲う,襲って強奪する, I'd better do something to 保護する myself from phishing".
解答s should have simple UI. The more コンビナート/複合体 a UI, the more a 使用者's 注目する,もくろむ will gloss over it. A browser which has twenty widgets and icons to 示す different things about the 場所/位置 will not help because the 使用者 will 簡単に ignore the lot. As a 支配する of thumb, if we can't explain to the 使用者 what to look for in a 選び出す/独身 宣告,判決, the UI is too 複雑にするd.
Possible 解答s
Here are some 解答s or 解答 構成要素s which have been 示唆するd recently, and my thoughts on them.
Turn off IDN
The 最新の 一連の会議、交渉/完成する of punycode-based homograph attacks has led people to
示唆する switching off IDN, either 本人自身で or in browser 安全
解放(する)s.
This 解答 is inherently 差別的な - IDN was introduced to try and level the playing field in domain 指名するs with regard to their alphabet. It's also an admission of 敗北・負かす, and it doesn't solve the problem - it only 妨げるs class 6 phishing attacks.
Show raw 指名するs
It has been 示唆するd that the browser should (instead or
additionally) show raw domain 指名するs to 使用者s in the punycode (class 6)
事例/患者.
This is not much better than showing them a hex string which is a hash of the domain - to most 使用者s, it will seem just like a 無作為の 始める,決める of letters and numbers. It would also 妨害する uptake of IDN, because IDN owners would not want to be second-class 国民s.
Phishing blacklist
It has been 示唆するd that browsers should 接触する a remote server
which 持つ/拘留するs a phishing domain blacklist.
While a good idea in theory, the experience of those who 試みる/企てる to 持続する spam blacklists should 原因(となる) us to be 用心深い about 説 that such a service is 平易な to build and keep up in the 直面する of attack. 受託するing only valid 報告(する)/憶測s, 除去するing malicious 報告(する)/憶測s and fending off DOS attacks would make this a serious 請け負うing.
Unless the browser downloads the entire blacklist 定期的に (and most phishing 場所/位置s have a lifetime 手段d in days), it would also have to send each URL 接近d to the remote server, which has serious privacy 関わりあい/含蓄s.
使用者-selected logo or 'petname'
It has been 示唆するd that 使用者s should select a logo or friendly 指名する for 場所/位置s that they frequently visit, and that this 指名する or logo should then be 陳列する,発揮するd in the UI on 未来 visits, to 安心させる them that they are where they think.
While this 計画/陰謀 may work 公正に/かなり 井戸/弁護士席 for 使用者s who bother to take the 活動/戦闘 要求するd, in practice I 嫌疑者,容疑者/疑う very few would choose to do so. As I explained in "必要条件s", few 使用者s are going to put in the time to 持続する such a 名簿(に載せる)/表(にあげる) outside the 限定するs of a 誘発するd lab 熟考する/考慮する. It 要求するs them to put up-前線 成果/努力 into 保護するing themselves from a problem they can't imagine themselves 遭遇(する)ing.
Domain letter colouring
It has been 示唆するd that the 陳列する,発揮する of the domain 指名する in the URL 妨げる/法廷,弁護士業 should be annotated, perhaps using coloured backgrounds, to 示す the lexical class of the letter 関心d, so that "半端物" letters may be more easily 選ぶd out. This suggestion has 伸び(る)d 通貨 because it is について言及するd in the Unicode 国際借款団/連合 advice on 取引,協定ing with IDN spoofing 問題/発行するs, and by members of the IDN community, so I will を取り引きする it at greater length.
My most important 反対 is that these sort of 計画/陰謀s will 必然的に be irreducibly over-コンビナート/複合体. It would be impossible to train a 重要な 割合 of 使用者s as to the meanings of each of the colours or changes, and to explain 正確に/まさに what defined a 怪しげな circumstance, as there are many 合法的 uses for domains with a mix of e.g. Latin and another alphabet (as the 国際借款団/連合 advice 公式文書,認めるs). If you can't explain it in a 選び出す/独身 宣告,判決, it's too コンビナート/複合体.
Any 計画/陰謀 伴う/関わるing coloured annotations 現在のs problems for the 5% of the world who are colour-blind. It's a 長年の UI 原則 that no (警察などへの)密告,告訴(状) should ever be 伝えるd to the 使用者 by means of colour alone. Some unicode codepoints are part of several different languages, and so would have no obvious 選び出す/独身 colour.
The last 反対 is that it would also have the 重要な 味方する-影響 of making the URL 妨げる/法廷,弁護士業 often very ugly for those large parts of the world who use some or many 非,不,無-ASCII characters. This is not a trivial consideration - 使用者s who dislike the ugliness will either try and turn it off or will switch to another 製品.
Using bookmarks or history
It has been 示唆するd that bookmarks and history could be used to see
whether the 使用者 had 以前 visited a 場所/位置. If a 使用者 has never
visited a 場所/位置 before, that's an 指示,表示する物 it could be fraudulent.
The idea here is good, but this would not work 井戸/弁護士席 with 現在の history 実施s, which 蓄える/店 history for a 限られた/立憲的な time only. 延長するing that time, and/or making the keeping of history compulsory, runs up against privacy 問題/発行するs. There's a 根底となる 緊張 between the anti-phishing code's need to know where the 使用者 has been, and a 使用者's 合法的 願望(する) to 隠す that (警察などへの)密告,告訴(状).
測定s of lexical proximity
It has been 示唆するd that browsers should 試みる/企てる to 決定する whether a particular domain was in "の近くに lexical proximity" to a high value domain.
While this may be possible for the 限られた/立憲的な 事例/患者 of homographic characters, the problems in the more general 事例/患者 are finding the 名簿(に載せる)/表(にあげる) of high value domains, and defining "の近くに lexical proximity". For a dyslexic, http://www.ibm.com and http://www.bmi.com are in の近くに lexical proximity, and could be 混乱させるd by a dyslexic person. But no-one would 示唆する BMI Music should 降伏する their domain to IBM Computers. In 新規加入, the number of different scripts and 令状ing forms make it very difficult indeed to design a 一貫した metric.
It also 要求するs the browser to have a 名簿(に載せる)/表(にあげる) of high-value domains. Who would make and 持続する such a 名簿(に載せる)/表(にあげる), and decide on the 入ること/参加(者) 基準?
My Suggestions
I have three suggestions for browser changes. The first two help the
使用者 to realise on their own that they may be on a phishing 場所/位置. The
last helps the browser to 警告する the 使用者, even if the 使用者 does not
嫌疑者,容疑者/疑う anything. (I cannot (人命などを)奪う,主張する that these ideas are 完全に my own; I
明確に表すd them having considered the ideas of many other people,
含むing the ones above.)
Domain Hashing
It is a 根底となる of human language that we will want to choose 指名するs which sound or look 公正に/かなり 類似の to each other. Any system which 許すd no such similarities would 妨げる many 合法的 uses. However, we need to make it easier for the 使用者 to notice the difference between two の近くに strings.
The 基準 way to make two things more easily 類似の is to hash them. So, the browser should 陳列する,発揮する, と一緒に the domain 指名する, a 代表 of a hash of the domain. This "amplifies" the difference between 類似の- or 同一の-looking domain 指名するs.
However, such a hash should not be 陳列する,発揮するd, for example, as a 始める,決める of hexadecimal digits. These are hard for the human 注目する,もくろむ to ざっと目を通す and remember, because they are letters and numbers without obvious meaning. Humans find 独断的な strings of letters hard to remember. I 初めは 手配中の,お尋ね者 to use a colour to 代表する the hash, but this produces problems for the colourblind.
Instead, I 示唆する the hash (or the first N bits of it) should be 陳列する,発揮するd as two digits of a new 64-symbol 始める,決める of glyphs, or "alphabet". The alphabet would be carefully chosen to have the characteristic that no glyph is a letter in any language, and no two are 類似の in 外見.
The 64 symbols would be chosen from "Geometric 形態/調整s", "Miscellaneous Symbols", "Dingbats" and other 類似の sections of the Unicode 基準. The advantage of using Unicode symbols is that the glyphs are 広範囲にわたって 利用できる, and their forms defined and known. Because these codepoints are not letters in an alphabet, 条件 like "bold", "italic", "serif" and "script" mean nothing to them, their glyphs keep their 独特の in different fonts.
The same hash algorithm and 始める,決める of glyphs would be used across all browsers, and the glyph for a particular domain 指名する would be printed on advertising マスコミ and marketing 構成要素s for that domain. The hash would be part of the 安全 UI of the browser - in the Firefox 事例/患者, the domain 指示する人(物) in the status 妨げる/法廷,弁護士業. The 使用者 would check both the domain 指名する and the glyphs to make sure they were in the 権利 place.
Example: www.paypal.com (♠◊)
So, in order for a phisher to have a plausible URL, they would need to find one which both looked like "www.paypal.com" and also hashed to the same glyphs. This 減ずるs the number of 可能性s by a factor of (64 * 64 =) 4096. Even better 半端物s could be 伸び(る)d by using more than two glyphs; greater 簡単 could be 伸び(る)d by using just a 選び出す/独身 one. 正確に/まさに how many to use would be a 事柄 of discussion. More digits is more 安全な・保証する, but also 増加するs UI 複雑さ.
To summarise: this 提案 means that lexically の近くに or homographic domains look 意味ありげに different, 補佐官ing the 使用者 in 決定するing 正確に/まさに where they are. This 計画/陰謀 has the advantage of the logo/petname 提案 - a domain is associated with an image - without the need for the 使用者 to continously do work to define 関係s.
Update 2005-03-14: I'm no longer so keen on "Domain Hashing", for several 推論する/理由s - まず第一に/本来 because I think IDN spoofing should be 取り組むd mostly at the Nameprep and registrar level, and we are working に向かって doing that instead.
New 場所/位置
The 重要な and unchangeable characteristic of a phish is as follows: the 使用者 is somewhere they 港/避難所't been before, but they think they are somewhere they have been before. (If they've been to this phishy place before, they've already been phished; if the phish is 偽のing a 場所/位置 they've never visited, they won't have a 関係 or a high-value login.)
If the browser kept 完全にする and total history, it could say definitively "you've been here before", or "you 港/避難所't been here before". It could then 陳列する,発揮する the words "new 場所/位置" (or an 同等(の) icon) in the 安全 area, that would hopefully 警報 the 使用者 to the problem.
However, this runs into a problem with privacy. Many 使用者s do not like to 保持する history, and normal browser 実施s throw it away after a configurable number of days (often 30). These two factors make it much いっそう少なく useful for this 目的 than it could be.
My 示唆するd 解答 is a special history, which takes each SSL
domain visited, appends a 使用者-明確な/細部 無作為の string, and 蓄える/店s a hash
of the result. Because it just 蓄える/店s domains, the size of the 蓄える/店
becomes manageable, and because it's hashed, it's 解放する/自由な from casual
調査するing. The 蓄える/店 has the 所有物/資産/財産 that it would be possible for an
攻撃者 with 接近 to the box to know if a particular SSL domain had
been visited, but not to get a 名簿(に載せる)/表(にあげる) of all SSL domains visited, unless
they hashed all the domains in the world for that particular 使用者.
Hopefully, this 減ずるs the privacy 問題/発行する.
It would be possible to 無能にする this hashed SSL history, but it would
be a separate preference to normal history, and would not be (疑いを)晴らすd by
default by any "Sanitise" 機能(する)/行事s. It should be considered part of the
browser's 内部の workings, and not 使用者-accessible.
So, if this 蓄える/店 示すd that an SSL domain had not been 以前
visited, the UI might change as follows. This is just a suggestion - the
詳細(に述べる)s could easily be changed.
Phish Finder
The third 始める,決める of changes are heuristics to help the browser 決定する that a 場所/位置 may be 怪しげな. The heuristics would use the に引き続いて as input data. These factors are carefully chosen to be 非,不,無-差別的な.
- Whether the domain 指名する consisted 単独で of ASCII + at least one ASCII homograph, or (if an 正確な heuristic with no 誤った 肯定的なs is possible) 含む/封じ込めるs "mixed scripts"
- Whether the domain appears in 存在するing bookmarks, history or password 蓄える/店
- Hashed SSL domain history, as 輪郭(を描く)d above
- Whether the link (機の)カム from an email or other 外部の source
- Whether the link text has different hostname to the URL
- Use of a numeric IP 演説(する)/住所 rather than a domain 指名する
- Whether the link has an unnecessary HTTP username/password pair
Once the page has 負担d, we could 追加する:
- Whether the page has many cross-domain links (e.g. if they are stealing the spoofed 場所/位置's graphics 直接/まっすぐに)
- Whether the page has the same favicon but not the same domain as a 以前-visited page
If we also take the time to 接触する a remote server, we could 追加する:
- Age of the domain (if it were, say, いっそう少なく than two weeks old)
- Whether the domain was on a phishing blacklist (定期的に downloaded)
When the browser 嫌疑者,容疑者/疑うs a 場所/位置 as 存在 phishy, a yellow 安全 (警察などへの)密告,告訴(状) 妨げる/法廷,弁護士業 would appear at the 最高の,を越す of the content window - as 現在/一般に happens for 封鎖するd popups and 試みる/企てるd ソフトウェア 任命する/導入するs. A "more info" button would explain why the browser thought the 場所/位置 was 怪しげな. This UI is 独立した・無所属 of the exact algorithm used, which gives 最大限 柔軟性 to 改善する the algorithm and sources of input data as time goes on.
結論
Many approaches to 反対するing phishing have been 示唆するd, but they often have practical problems. I believe my three suggestions could form the basis of a 連係させた, 非,不,無-差別的な approach to the 問題/発行する.
Credits
Many thanks to Ian G, Robert O'Callahan, Nelson Bolyard and the other 関係者s of the Mozilla 安全 group for their ideas and input on this paper, and thanks to SpoofGuard for some Phish Finder heuristic ideas.