lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <200503152109.j2FL9V9i027868@turing-police.cc.vt.edu>
Date: Tue, 15 Mar 2005 16:09:31 -0500
From: Valdis.Kletnieks@...edu
To: Riccardo Murri <murri@...m.uniroma1.it>
Cc: bugtraq@...urityfocus.com, Paul Smith <paullocal@...s.co.uk>
Subject: Re: Thoughts and a possible solution on homograph attacks
On Tue, 15 Mar 2005 12:27:09 +0100, Riccardo Murri said:
> I would rather suggest that the string comparison function used in IDN
> takes "homograph caracters"[1] into account: just like the current DNS
> considers 'a' == 'A', the IDN DNS should consider "LATIN SMALL LETTER
> a" == "CYRILLIC SMALL LETTER a" == "CYRILLIC CAPITAL LETTER A" ==
> "GREEK CAPITAL LETTER A"[2], and similarly for the other homograph chars.
The problem here is that defining what characters are "similar" enough to be
homographs is a very fuzzy concept. Glyphs that may look similar on a 1600x1200
display on my laptop may not look similar when the *same exact* 1600x1200 is
being displayed on the 21" monitor hanging off my docking station. Also, the
point size in use may matter - that macron that's easily visible at 15pt may be
invisible at 11pt. Bitmap and outline fonts will have different behaviors
in this regard, and anti-aliasing adds another twist to the equations....
And even if you program all *that* sort of knowledge in, there's no way in the
near future that the software will know if I'm wearing my contacts or if I'm
wearing my glasses, and if I'm wearing contacts, if I happen to have my reading
glasses handy.....
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists