[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <422D8E14.4060505@syneticon.de>
Date: Tue, 08 Mar 2005 12:35:48 +0100
From: Denis Jedig <seclists@...eticon.de>
To: "bugtraq-securityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: thoughts and a possible solution on homograph attacks
Kevin Day wrote:
> character set(or family of languages possibly) would appear as a
> different color. Maybe make the foreign characters red, or the
> background color around each foreign character blue or something.
This actually will have to be understood by the user. While the idea to
make all characters in the unicode character set *look* different is
fine, you again will end up with the acceptance problem (wow, look at
the fancy red "a" in ebay.com, I like colours in my address bar). By the
way, using the "revert to plain punycode in address bar" approach, you'd
achieve very much the same goal but have a better user acceptance - a
weird looking URI looks much more scary than a coloured URI.
> Users using an english browser could view URLs with known "acceptable"
> characters in other languages like é, ø and other obvious differences
> with no problem, but if a user clicks on a link with a known homograph
> in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get
> the scary warning of doom.
This would require one to have a database with known homographs within
the unicode charset. It's not trivial to solve since the "does character
x look like character y?" question cannot be sufficiently answered
without knowing what the font looks like that is representing the string
on users screen.
> Even when a user does whitelist a character set, they would still
> hopefully notice the obvious color change in the address bar.
Just to catch up your thoughts: It might be more convinient to define a
locale which contains all characters used in a single language (e.g.
[A-Za-z0-9äöüÄÖÜß] for German, [A-Za-z0-9áÁéÉàÀèÈâÂêÊ] for French) and
pop up a warning whenever DIFF[German, French] characters belonging to
different locales are used in the same string, e.g http://äà.com
Obviously, this will have its problems where the intention is to mix
charsets up - for example if the marketing monkey says "it's absolutely
necessary to mix up our english web site URI with chinese han symbols"
because it looks cooler.
Denis Jedig
syneticon GbR
Powered by blists - more mailing lists