[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <422CB17F.5070601@wana.at>
Date: Mon, 07 Mar 2005 20:54:39 +0100
From: Thomas Wana <thomas@...a.at>
To: Michael Roitzsch <amalthea@...enet.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks
Michael Roitzsch wrote:
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf
Quote from the abovementioned paper:
"I propose to present the user with a dialog showing the text to be validated and
an input field, into which the user has to type in the given text again. The user
is told, if both texts match precisely and what this means: If the typed text's
internal representation matches the given text bit-by-bit, trust can be established.
If it does not match, the user is told to re-check for typing errors and not to
establish trust."
You completely seem to forget to think about user *acceptance*. Noone
will accept such a "solution". If I think of me alone I would hate to
enter the domain name once I click on a link. And obviously this would
have to be done for *every* link the user clicks, or how would you
technically distinguish between a trustable and non-trustable URL. Heck,
that's actually the root of the problem ...
Tom
Powered by blists - more mailing lists