lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 8 Mar 2005 12:23:36 +0600
From: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@....nsk.su>
To: Kevin Day <toasty@...gondata.com>
Cc: Michael Roitzsch <amalthea@...enet.de>, bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks


On Mon, 7 Mar 2005, Kevin Day wrote:

> What would (to me) make more sense is if the browser made it more clear 
> that a homograph was being used.
> 
> In the address bar, any character that's not from the user's language 
> character set(or family of languages possibly) would appear as a 
> different color. Maybe make the foreign characters red, or the 
> background color around each foreign character blue or something.

	You have come to the same idea as I did :-) (hope my post to
Bugtraq will pass the moderation), just with a different flavor.  That's a
good sign for me, and this kind of solution seems to be not-so-hard to
implement.

> It still would require a bit of user education, but maybe the first 
> time it happened the browser can pop up with "The address of the site 
> you are going to contains characters from another language. If you 
> clicked on a link to a site you expected to be in [User's default 
> language], 

	A small addition: not "language", but "languages".  And, may be
even more -- "character set".  For example, russian-speaking users
currently use only latin letters, as all the world do.  And if IDN
somewhen becomes common, they would have to use a mixture of latin and
cyrillic letters.

	(I hope IBM wold be clever enough to grab the "IBM.com" domains,
where "B" is "cyrillic capital VE" and/or "M" is "cyrillic capital M". :-)

> you might be going to a fraudulent site. The questionable 
> characters are highlighted in blue in the address bar above. [x] Do not 
> show this again for Cyrillic language letters"

	Unfortunately, most users in case of such warnings blindly press
[Ok] not even trying to read what they are warned about.  And if there is
a "[x] Don't show this again..." option, they will immediately swith it
on.  So, such switchable-off protection would in fact become illusory...

	_________________________________________
	  Dmitry Yu. Bolkhovityanov
	  The Budker Institute of Nuclear Physics
	  Novosibirsk, Russia

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ