lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200503152109.j2FL9V9i027868@turing-police.cc.vt.edu>
Date: Tue, 15 Mar 2005 16:09:31 -0500
From: Valdis.Kletnieks@...edu
To: Riccardo Murri <murri@...m.uniroma1.it>
Cc: bugtraq@...urityfocus.com, Paul Smith <paullocal@...s.co.uk>
Subject: Re: Thoughts and a possible solution on homograph attacks

On Tue, 15 Mar 2005 12:27:09 +0100, Riccardo Murri said:

> I would rather suggest that the string comparison function used in IDN
> takes "homograph caracters"[1] into account: just like the current DNS
> considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER
> a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" ==
> "GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars.

The problem here is that defining what characters are "similar" enough to be
homographs is a very fuzzy concept.  Glyphs that may look similar on a 1600x1200
display on my laptop may not look similar when the *same exact* 1600x1200 is
being displayed on the 21" monitor hanging off my docking station.  Also, the
point size in use may matter - that macron that's easily visible at 15pt may be
invisible at 11pt.  Bitmap and outline fonts will have different behaviors
in this regard, and anti-aliasing adds another twist to the equations....

And even if you program all *that* sort of knowledge in, there's no way in the
near future that the software will know if I'm wearing my contacts or if I'm
wearing my glasses, and if I'm wearing contacts, if I happen to have my reading
glasses handy.....


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists