Google recently introduced some language/character changes to make Gmail a more global email service. What are...
the security benefits of such changes? And what security implications could a global email application/service have on an enterprise?
The Internet is a global phenomenon, yet its standards are still mainly based on the English alphabet --which less than half of the world's population uses. For example, the email address josé@mialmacen.es is not valid because "josé" contains the letter é. Under RFC 5321, a mailbox name is restricted to a subset of 7-bit ASCII -- special characters like á, é ó, í, among others are not allowed. Most mail servers will simply ignore the é and try to send the email to firstname.lastname@example.org. (Domain names are already internationalized under RFC 5890, so the email address email@example.com is valid.)
This can be frustrating for anyone wanting to use their own name in their email address. For example someone called Cristóbal Colón, the Spanish for Christopher Columbus, would have to opt for an email address of cristobal.colon@ -- no longer a famous explorer, but a punctuation mark.
To remedy this situation the Internet Engineering Task Force created a new email standard that supports addresses with non-ASCII characters. That was back in 2012, and even though ASCII was surpassed in 2008 by UTF-8 as the most common character encoding used on the Web, users have still been limited to basic Latin characters because every email provider and every website that requires a valid email address during registration needs to adopt the new standard.
Google is the first big email provider to add support for non-Latin characters; Gmail can now correctly handle addresses that contain accented or non-Latin characters. This means Gmail users can send emails to and receive emails from people who have these characters in their email addresses, though as of yet it's not possible to create a Gmail account using accented or non-Latin characters.
There are security implications, however, as support for non-Latin characters will make it easier for phishers to spoof people's email addresses.
Let me explain.
ASCII has several pairs of characters that look alike: for example, the capital letter O and the number 0, lowercase l and uppercase I. There is little or no difference in the glyphs for these characters in most fonts, but computer systems treat them differently when processing them. For example, the ASCII code for capital I is 73 but the code for lowercase l is 108. Spoofing attacks based on these similarities are known as homograph spoofing attacks. It is similar to typosquatting, where an attacker registers a domain such as www.goog1e.co.uk, but whereas this relies on natural human typos, homograph spoofing intentionally deceives users by using visually indistinguishable names.
Unicode incorporates numerous writing systems and increases the number of similar-looking characters such as the Greek Ο, Latin O and Cyrillic О. As a result, a cybercriminal or hacker working for a nation state could construct email addresses that recipients would believe are from a trusted friend or colleague such as аndrew123@gmail.com instead of firstname.lastname@example.org -- the first address uses the Unicode character U+0430, the Cyrillic small letter a and not the Unicode character U+0061, the Latin small letter a.
Google is preempting the possibility of hackers trying to take advantage of Unicode homograph attacks against the email username by updating its Gmail spam filter to make targeted phishing attacks more difficult by rejecting emails with addresses that use suspicious character combinations. What's classified as suspicious is based on specifications set by the Unicode Consortium, which establishes computing industry standards for the consistent representation and handling of text expressed in most of the world's writing systems.
Although other webmail providers are likely to watch whether globalizing Gmail brings Google more users and impacts their own user numbers before introducing more language localization themselves, internationalization is definitely happening. To counter this increased risk of Unicode homograph attacks, sites and users can use digital certificates so others can validate the domain of the site they are visiting and verify the sender of incoming emails.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)
Don't miss the latest email security news and advice from SearchSecurity
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.