lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050308185036.GA11046@werner>
Date: Tue, 8 Mar 2005 19:50:36 +0100
From: Sven Putteneers <svennieboy@...ux.be>
To: bugtraq@...urityfocus.com
Subject: Re: houghts and a possible solution on homograph attacks

On Mon,  7 Mar 2005 at 15:05:51 -0500, Scovetta, Michael V(Michael.Scovetta@...com) wrote:
> 
> <plug>
> I've released a "fix" for the IDN vulnerability
> (www.scovettalabs.com/advisory/SCL-2005.002.txt) that basically prevents
> you from going to *any* domain that has a non-[\-A-Z0-9] character in
> it. For me, it's fine, since I'll likely never need to go to an IDN
> domain.
> </plug>

If this patch would be widely used, we'd lose the all the advantages
associated with IDN.
Maybe it's better to attack this problem on the browser side and have a
configuration switch to enable or disable IDN. We could disable it as a
"reasonable default", but those who need it, could enable it.
Upon enabling the option, a warning dialog could pop up that warns the
user about the security problems associated with IDN ("don't enable this
unless you know what you're doing" stuff).

That way the majority of the users would be safe from IDN attacks
(phishing comes to mind) and those who really want IDN would have to
click through a warning dialog telling them why enabling it may not be
such a good idea.

Just my €0.02,
Sven


-- 
Encrypted mail preferred. As of Jan 27th 2005, all outgoing mail is signed.
GPG keyID: 0x66A13305
GPG key fingerprint: 5B8C 97A2 20C4 E578 CDEB  71C9 23CA 0681 66A1 3305
GPG key URL: http://werner.sytes.net/~svenniboy/gpg_pubkey.asc

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ