[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200503081321.46638.amalthea@freenet.de>
Date: Tue, 8 Mar 2005 13:21:44 +0100
From: Michael Roitzsch <amalthea@...enet.de>
To: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@....nsk.su>
Cc: Kevin Day <toasty@...gondata.com>, bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks
Hi,
since a lot of people have raised doubt on the usability problems of my
solution: I am perfectly aware of them. I just don't think it is too hard to
type a domain name the first time you visit an SSL encrypted site. Some
end-user phishing checklists even advise you to type the domain you want to
visit. My solution would just enforce that.
Bet let's see if we cannot combine several solutions:
> > What would (to me) make more sense is if the browser made it more clear
> > that a homograph was being used.
> >
> > In the address bar, any character that's not from the user's language
> > character set(or family of languages possibly) would appear as a
> > different color. Maybe make the foreign characters red, or the
> > background color around each foreign character blue or something.
>
> You have come to the same idea as I did :-) (hope my post to
> Bugtraq will pass the moderation), just with a different flavor. That's a
> good sign for me, and this kind of solution seems to be not-so-hard to
> implement.
I like the solution, too. It clearly improves the current situation.
However, it has another usability problem: It won't work for the colourblind
or those using black and white only because they need high contrast. Some
users might not even have an address bar in their browser, maybe because they
got distracted by all the weird characters and disabled it.
I also see the problem that users don't look at the address bar and actually
read the address careful enough. I usually don't. A quick look at the padlock
icon is already asked too much for some users.
So why not combine all the solutions: The browser maintains a whitelist of
trusted domains. Whenever a domain is visited which offers SSL, but is not in
the whitelist, the browser will notify the user somehow (either by a dialog
or in a non-modal way, maybe a flashing padlock icon). The user can choose to
ignore the notification or follow up on it. The user is then presented with
the possibility to whitelist the domain with his choice of visually verifying
the domain name (with coloured characters) or typing it in to be safe. The
dialog's text can explain this.
Michael
--
LOAD "WIN95",8,1
RUN
Powered by blists - more mailing lists