maxkabakov - Fotolia
Google recently introduced some language/character changes to make Gmail a more global email service. What are the security benefits of such changes? And what security implications could a global email application/service have on an enterprise?
The Internet is a global phenomenon, yet its standards are still mainly based on the English alphabet --which less than half of the world's population uses. For example, the email address josé@mialmacen.es is not valid because "josé" contains the letter é. Under RFC 5321, a mailbox name is restricted to a subset of 7-bit ASCII -- special characters like á, é ó, í, among others are not allowed. Most mail servers will simply ignore the é and try to send the email to firstname.lastname@example.org. (Domain names are already internationalized under RFC 5890, so the email address email@example.com is valid.)
This can be frustrating for anyone wanting to use their own name in their email address. For example someone called Cristóbal Colón, the Spanish for Christopher Columbus, would have to opt for an email address of cristobal.colon@ -- no longer a famous explorer, but a punctuation mark.
To remedy this situation the Internet Engineering Task Force created a new email standard that supports addresses with non-ASCII characters. That was back in 2012, and even though ASCII was surpassed in 2008 by UTF-8 as the most common character encoding used on the Web, users have still been limited to basic Latin characters because every email provider and every website that requires a valid email address during registration needs to adopt the new standard.
Google is the first big email provider to add support for non-Latin characters; Gmail can now correctly handle addresses that contain accented or non-Latin characters. This means Gmail users can send emails to and receive emails from people who have these characters in their email addresses, though as of yet it's not possible to create a Gmail account using accented or non-Latin characters.
There are security implications, however, as support for non-Latin characters will make it easier for phishers to spoof people's email addresses.
Let me explain.
ASCII has several pairs of characters that look alike: for example, the capital letter O and the number 0, lowercase l and uppercase I. There is little or no difference in the glyphs for these characters in most fonts, but computer systems treat them differently when processing them. For example, the ASCII code for capital I is 73 but the code for lowercase l is 108. Spoofing attacks based on these similarities are known as homograph spoofing attacks. It is similar to typosquatting, where an attacker registers a domain such as www.goog1e.co.uk, but whereas this relies on natural human typos, homograph spoofing intentionally deceives users by using visually indistinguishable names.
Unicode incorporates numerous writing systems and increases the number of similar-looking characters such as the Greek Ο, Latin O and Cyrillic О. As a result, a cybercriminal or hacker working for a nation state could construct email addresses that recipients would believe are from a trusted friend or colleague such as аndrew123@gmail.com instead of firstname.lastname@example.org -- the first address uses the Unicode character U+0430, the Cyrillic small letter a and not the Unicode character U+0061, the Latin small letter a.
Google is preempting the possibility of hackers trying to take advantage of Unicode homograph attacks against the email username by updating its Gmail spam filter to make targeted phishing attacks more difficult by rejecting emails with addresses that use suspicious character combinations. What's classified as suspicious is based on specifications set by the Unicode Consortium, which establishes computing industry standards for the consistent representation and handling of text expressed in most of the world's writing systems.
Although other webmail providers are likely to watch whether globalizing Gmail brings Google more users and impacts their own user numbers before introducing more language localization themselves, internationalization is definitely happening. To counter this increased risk of Unicode homograph attacks, sites and users can use digital certificates so others can validate the domain of the site they are visiting and verify the sender of incoming emails.
Ask the Expert:
Want to ask Michael Cobb a question about application security? Submit your question now via email. (All questions are anonymous.)
Don't miss the latest email security news and advice from SearchSecurity
Dig Deeper on Email and Messaging Threats-Information Security Threats
Related Q&A from Michael Cobb
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading
The popular port scan is a hacking tool that enables attackers to gather information about how corporate networks operate. Learn how to detect and ... Continue Reading