On Mar 7, 2005, at 11:25 AM, Michael Roitzsch wrote:

> Hi security community,
>
> this is my first publication I post on Bugtraq, so please be patient
> with me.
>
> Since the recent problems with IDN, I wanted to clear up my thoughts on
> homograph attacks, so I sorted everything in an article which also
> contains
> what I believe to be an easy and general solution.
>
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf
>
> Unfortunately, my free time is currently limited, so I may not be able
> to
> participate too much in any discussions on the subject. My appologies
> for
> that. But I will definitely read any feedback I receive.
>
> Michael Roitzsch
>

That's an interesting idea, but it sounds kinda complicated and
burdensome on the user. It would be hard sell to make that the default
behavior in any browser if users aren't accustomed to dealing with it.
It's incredibly difficult to convince a user that adding more work to
them is somehow an improvement on things.

What would (to me) make more sense is if the browser made it more clear
that a homograph was being used.

In the address bar, any character that's not from the user's language
character set(or family of languages possibly) would appear as a
different color. Maybe make the foreign characters red, or the
background color around each foreign character blue or something.

It still would require a bit of user education, but maybe the first
time it happened the browser can pop up with "The address of the site
you are going to contains characters from another language. If you
clicked on a link to a site you expected to be in [User's default
language], you might be going to a fraudulent site. The questionable
characters are highlighted in blue in the address bar above. [x] Do not
show this again for Cyrillic language letters"

Users using an english browser could view URLs with known "acceptable"
characters in other languages like é, ø and other obvious differences
with no problem, but if a user clicks on a link with a known homograph
in another character set (like #0430 - CYRILLIC SMALL LETTER A) they
get the scary warning of doom.

Novice users may not understand the problem, but the fact that the
browser popped up with something would be a good indication that
something is wrong. Expert users or those who frequently deal with
sites in other languages could whitelist character sets that they use.

Even when a user does whitelist a character set, they would still
hopefully notice the obvious color change in the address bar.

-- Kevin

[ reply ]