lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <aecddf848fa942b459861001e883ce8e@dragondata.com> Date: Mon, 7 Mar 2005 14:15:00 -0600 From: Kevin Day <toasty@...gondata.com> To: Michael Roitzsch <amalthea@...enet.de> Cc: bugtraq@...urityfocus.com Subject: Re: thoughts and a possible solution on homograph attacks On Mar 7, 2005, at 11:25 AM, Michael Roitzsch wrote: > Hi security community, > > this is my first publication I post on Bugtraq, so please be patient > with me. > > Since the recent problems with IDN, I wanted to clear up my thoughts on > homograph attacks, so I sorted everything in an article which also > contains > what I believe to be an easy and general solution. > > You can find it here: > http://www.amalthea.de/publications/homograph.pdf > > Unfortunately, my free time is currently limited, so I may not be able > to > participate too much in any discussions on the subject. My appologies > for > that. But I will definitely read any feedback I receive. > > Michael Roitzsch > That's an interesting idea, but it sounds kinda complicated and burdensome on the user. It would be hard sell to make that the default behavior in any browser if users aren't accustomed to dealing with it. It's incredibly difficult to convince a user that adding more work to them is somehow an improvement on things. What would (to me) make more sense is if the browser made it more clear that a homograph was being used. In the address bar, any character that's not from the user's language character set(or family of languages possibly) would appear as a different color. Maybe make the foreign characters red, or the background color around each foreign character blue or something. It still would require a bit of user education, but maybe the first time it happened the browser can pop up with "The address of the site you are going to contains characters from another language. If you clicked on a link to a site you expected to be in [User's default language], you might be going to a fraudulent site. The questionable characters are highlighted in blue in the address bar above. [x] Do not show this again for Cyrillic language letters" Users using an english browser could view URLs with known "acceptable" characters in other languages like é, ø and other obvious differences with no problem, but if a user clicks on a link with a known homograph in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get the scary warning of doom. Novice users may not understand the problem, but the fact that the browser popped up with something would be a good indication that something is wrong. Expert users or those who frequently deal with sites in other languages could whitelist character sets that they use. Even when a user does whitelist a character set, they would still hopefully notice the obvious color change in the address bar. -- Kevin
Powered by blists - more mailing lists