lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 08 Mar 2005 12:35:48 +0100
From: Denis Jedig <seclists@...eticon.de>
To: "bugtraq-securityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: thoughts and a possible solution on homograph attacks


Kevin Day wrote:

> character set(or family of languages possibly) would appear as a 
> different color. Maybe make the foreign characters red, or the 
> background color around each foreign character blue or something.

This actually will have to be understood by the user. While the idea to
make all characters in the unicode character set *look* different is
fine, you again will end up with the acceptance problem (wow, look at
the fancy red "a" in ebay.com, I like colours in my address bar). By the
way, using the "revert to plain punycode in address bar" approach, you'd
achieve very much the same goal but have a better user acceptance - a
weird looking URI looks much more scary than a coloured URI.

> Users using an english browser could view URLs with known "acceptable" 
> characters in other languages like é, ø and other obvious differences 
> with no problem, but if a user clicks on a link with a known homograph 
> in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get 
> the scary warning of doom.

This would require one to have a database with known homographs within
the unicode charset. It's not trivial to solve since the "does character
x look like character y?" question cannot be sufficiently answered
without knowing what the font looks like that is representing the string
on users screen.

> Even when a user does whitelist a character set, they would still 
> hopefully notice the obvious color change in the address bar.

Just to catch up your thoughts: It might be more convinient to define a
locale which contains all characters used in a single language (e.g.
[A-Za-z0-9äöüÄÖÜß] for German, [A-Za-z0-9áÁéÉàÀèÈâÂêÊ] for French) and
pop up a warning whenever DIFF[German, French] characters belonging to
different locales are used in the same string, e.g http://äà.com

Obviously, this will have its problems where the intention is to mix
charsets up - for example if the marketing monkey says "it's absolutely
necessary to mix up our english web site URI with chinese han symbols"
because it looks cooler.

Denis Jedig
syneticon GbR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ