|
|
BugTraq
thoughts and a possible solution on homograph attacks Mar 07 2005 05:25PM Michael Roitzsch (amalthea freenet de) (6 replies) Re: thoughts and a possible solution on homograph attacks Mar 08 2005 05:00AM Dmitry Yu. Bolkhovityanov (D Yu Bolkhovityanov inp nsk su) Re: thoughts and a possible solution on homograph attacks Mar 07 2005 10:16PM Michael Silk (michaelslists gmail com) Re: thoughts and a possible solution on homograph attacks Mar 07 2005 08:58PM James Youngman james+yahoo (at) excession.spiral-arm (dot) org [email concealed] (james+yahoo excession spiral-arm org) Re: thoughts and a possible solution on homograph attacks Mar 07 2005 08:15PM Kevin Day (toasty dragondata com) (2 replies) Re: thoughts and a possible solution on homograph attacks Mar 08 2005 06:23AM Dmitry Yu. Bolkhovityanov (D Yu Bolkhovityanov inp nsk su) (1 replies) Re: thoughts and a possible solution on homograph attacks Mar 08 2005 12:21PM Michael Roitzsch (amalthea freenet de) Re: thoughts and a possible solution on homograph attacks Mar 07 2005 07:54PM Thomas Wana (thomas wana at) Re: thoughts and a possible solution on homograph attacks Mar 07 2005 07:52PM Benjamin Franz (snowhare nihongo org) |
|
Privacy Statement |
> character set(or family of languages possibly) would appear as a
> different color. Maybe make the foreign characters red, or the
> background color around each foreign character blue or something.
This actually will have to be understood by the user. While the idea to
make all characters in the unicode character set *look* different is
fine, you again will end up with the acceptance problem (wow, look at
the fancy red "a" in ebay.com, I like colours in my address bar). By the
way, using the "revert to plain punycode in address bar" approach, you'd
achieve very much the same goal but have a better user acceptance - a
weird looking URI looks much more scary than a coloured URI.
> Users using an english browser could view URLs with known "acceptable"
> characters in other languages like é, ø and other obvious differences
> with no problem, but if a user clicks on a link with a known homograph
> in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get
> the scary warning of doom.
This would require one to have a database with known homographs within
the unicode charset. It's not trivial to solve since the "does character
x look like character y?" question cannot be sufficiently answered
without knowing what the font looks like that is representing the string
on users screen.
> Even when a user does whitelist a character set, they would still
> hopefully notice the obvious color change in the address bar.
Just to catch up your thoughts: It might be more convinient to define a
locale which contains all characters used in a single language (e.g.
[A-Za-z0-9äöüÄÖÜß] for German, [A-Za-z0-9áÁéÉàÀèÈâÂêÊ] for French) and
pop up a warning whenever DIFF[German, French] characters belonging to
different locales are used in the same string, e.g http://äà.com
Obviously, this will have its problems where the intention is to mix
charsets up - for example if the marketing monkey says "it's absolutely
necessary to mix up our english web site URI with chinese han symbols"
because it looks cooler.
Denis Jedig
syneticon GbR
[ reply ]