[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.61.0503071145560.23144@high-mountain.nihongo.org>
Date: Mon, 7 Mar 2005 11:52:18 -0800 (PST)
From: Benjamin Franz <snowhare@...ongo.org>
To: Michael Roitzsch <amalthea@...enet.de>
Cc: bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks
On Mon, 7 Mar 2005, Michael Roitzsch wrote:
> Hi security community,
>
> this is my first publication I post on Bugtraq, so please be patient with me.
>
> Since the recent problems with IDN, I wanted to clear up my thoughts on
> homograph attacks, so I sorted everything in an article which also contains
> what I believe to be an easy and general solution.
>
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf
>
> Unfortunately, my free time is currently limited, so I may not be able to
> participate too much in any discussions on the subject. My appologies for
> that. But I will definitely read any feedback I receive.
You are far too fast to dismiss the usability criticism. People _WON'T_
participate in a system requiring them to retype the domain name to
establish an SSL connection. Additionally, it would fail in the case
where a user's locale was (for example) Greek while the site they were
connecting to was American. They would type what they perceived to be the
domain - and it wouldn't work. A "reverse homograph" failure.
It is a technically nice but completely unusable solution.
--
Jerry
"All right, where is the answer? The battle of wits has begun.
It ends when you click and we both serve pages - and find out who is right,
and who is slashdotted." - David Brandt
Powered by blists - more mailing lists