lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue, 8 Mar 2005 09:16:51 +1100
From: Michael Silk <michaelslists@...il.com>
To: Michael Roitzsch <amalthea@...enet.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks


Michael,

 I don't think this solution is appropriate at all. (For those that
didn't read the PDF, the idea is to have the user _type in_ the domain
name of a url they clicked on).

 Clearly, this won't work at all from a users point of view. It would
be far too annoying. Your saving scenario is also not very
appropriate, because consider if a malicious user on that persons
computer saves 'bank1.com' to map to 'hackerbank1.com'. The problems
become obvious.

 As for a solution to the problem, perhaps browsers can just notify
the user when a domain they clicked contains unicode characters, and
display the URL in some special fashion. (I can't think of anything
that would be appropriate, however :)

-- Michael (Silk)


On Mon, 7 Mar 2005 18:25:31 +0100, Michael Roitzsch <amalthea@...enet.de> wrote:
> Hi security community,
> 
> this is my first publication I post on Bugtraq, so please be patient with me.
> 
> Since the recent problems with IDN, I wanted to clear up my thoughts on
> homograph attacks, so I sorted everything in an article which also contains
> what I believe to be an easy and general solution.
> 
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf
> 
> Unfortunately, my free time is currently limited, so I may not be able to
> participate too much in any discussions on the subject. My appologies for
> that. But I will definitely read any feedback I receive.
> 
> Michael Roitzsch
> 


-- 
Please adjust the reply-to address.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ