| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 07 Mar 2005 20:54:39 +0100 From: Thomas Wana <thomas@...a.at> To: Michael Roitzsch <amalthea@...enet.de> Cc: bugtraq@...urityfocus.com Subject: Re: thoughts and a possible solution on homograph attacks Michael Roitzsch wrote: > You can find it here: > http://www.amalthea.de/publications/homograph.pdf Quote from the abovementioned paper: "I propose to present the user with a dialog showing the text to be validated and an input field, into which the user has to type in the given text again. The user is told, if both texts match precisely and what this means: If the typed text's internal representation matches the given text bit-by-bit, trust can be established. If it does not match, the user is told to re-check for typing errors and not to establish trust." You completely seem to forget to think about user *acceptance*. Noone will accept such a "solution". If I think of me alone I would hate to enter the domain name once I click on a link. And obviously this would have to be done for *every* link the user clicks, or how would you technically distinguish between a trustable and non-trustable URL. Heck, that's actually the root of the problem ... Tom
Powered by blists - more mailing lists