lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 20 Mar 2005 15:07:27 +0000
From: Duncan Simpson <dps@...pson.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: Thoughts and a possible solution on homograph attacks


Homograph attacks might be a closed subject but nobody has mentioned this, so
maybe I should. Surely it is possible for a web browser to apply some similar
character mapping rules and react only if it finds something.

Thus if the IDN looks like www.ebay.com on the screen the web browser will
notice www.ebay.com exists, pop up a warning and deny access if you just click
OK. An option safe from those who just click OK without reading anything could
allow access to those websites. 

The best fix would be to stop the registry's granting homograph names to random
people and revoking he existing ones with immediately effect but I do think
this is within the power of bugtraq.


Websites could also help by using cookies valid only for one web request, with
the next working value computable only if you know a secret. Knowing this
secret should require knowing the password, which should never tbe sent
anywhere. This should make it harder to steal cookies and much more difficult
do so without being detected.

If I can implement the above on IE, mozilla and opera using indentical java and
javascript then surely banks can too. There are nasty side effects involving
the back button but these are toleratble and probably fixable. My solution was
only designed to be better than a single fixed value and there are stronger
protocols (for example SRP-6).




--j2JHE1bF010628.1111252443/mail.simpson.demon.co.uk
Content-Type: text/plain

Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ