lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200503081321.46638.amalthea@freenet.de>
Date: Tue, 8 Mar 2005 13:21:44 +0100
From: Michael Roitzsch <amalthea@...enet.de>
To: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@....nsk.su>
Cc: Kevin Day <toasty@...gondata.com>, bugtraq@...urityfocus.com
Subject: Re: thoughts and a possible solution on homograph attacks


Hi,

since a lot of people have raised doubt on the usability problems of my 
solution: I am perfectly aware of them. I just don't think it is too hard to 
type a domain name the first time you visit an SSL encrypted site. Some 
end-user phishing checklists even advise you to type the domain you want to 
visit. My solution would just enforce that.

Bet let's see if we cannot combine several solutions:

> > What would (to me) make more sense is if the browser made it more clear
> > that a homograph was being used.
> >
> > In the address bar, any character that's not from the user's language
> > character set(or family of languages possibly) would appear as a
> > different color. Maybe make the foreign characters red, or the
> > background color around each foreign character blue or something.
>
> 	You have come to the same idea as I did :-) (hope my post to
> Bugtraq will pass the moderation), just with a different flavor.  That's a
> good sign for me, and this kind of solution seems to be not-so-hard to
> implement.

I like the solution, too. It clearly improves the current situation.

However, it has another usability problem: It won't work for the colourblind 
or those using black and white only because they need high contrast. Some 
users might not even have an address bar in their browser, maybe because they 
got distracted by all the weird characters and disabled it.

I also see the problem that users don't look at the address bar and actually 
read the address careful enough. I usually don't. A quick look at the padlock 
icon is already asked too much for some users.

So why not combine all the solutions: The browser maintains a whitelist of 
trusted domains. Whenever a domain is visited which offers SSL, but is not in 
the whitelist, the browser will notify the user somehow (either by a dialog 
or in a non-modal way, maybe a flashing padlock icon). The user can choose to 
ignore the notification or follow up on it. The user is then presented with 
the possibility to whitelist the domain with his choice of visually verifying 
the domain name (with coloured characters) or typing it in to be safe. The 
dialog's text can explain this.

Michael

-- 
LOAD "WIN95",8,1
RUN


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ