lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <422CB17F.5070601@wana.at>
Date: Mon, 07 Mar 2005 20:54:39 +0100
From: Thomas Wana <thomas@...a.at>
To: Michael Roitzsch <amalthea@...enet.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks


Michael Roitzsch wrote:
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf

Quote from the abovementioned paper:
"I propose to present the user with a dialog showing the text to be validated and
an input field, into which the user has to type in the given text again. The user
is told, if both texts match precisely and what this means: If the typed text's
internal representation matches the given text bit-by-bit, trust can be established.
If it does not match, the user is told to re-check for typing errors and not to
establish trust."

You completely seem to forget to think about user *acceptance*. Noone
will accept such a "solution". If I think of me alone I would hate to
enter the domain name once I click on a link. And obviously this would
have to be done for *every* link the user clicks, or how would you
technically distinguish between a trustable and non-trustable URL. Heck,
that's actually the root of the problem ...

Tom


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ