<<< Date Index >>>     <<< Thread Index >>>

Re: thoughts and a possible solution on homograph attacks




On Mar 7, 2005, at 11:25 AM, Michael Roitzsch wrote:

Hi security community,

this is my first publication I post on Bugtraq, so please be patient with me.

Since the recent problems with IDN, I wanted to clear up my thoughts on
homograph attacks, so I sorted everything in an article which also contains
what I believe to be an easy and general solution.

You can find it here:
http://www.amalthea.de/publications/homograph.pdf

Unfortunately, my free time is currently limited, so I may not be able to participate too much in any discussions on the subject. My appologies for
that. But I will definitely read any feedback I receive.

Michael Roitzsch


That's an interesting idea, but it sounds kinda complicated and burdensome on the user. It would be hard sell to make that the default behavior in any browser if users aren't accustomed to dealing with it. It's incredibly difficult to convince a user that adding more work to them is somehow an improvement on things.


What would (to me) make more sense is if the browser made it more clear that a homograph was being used.

In the address bar, any character that's not from the user's language character set(or family of languages possibly) would appear as a different color. Maybe make the foreign characters red, or the background color around each foreign character blue or something.

It still would require a bit of user education, but maybe the first time it happened the browser can pop up with "The address of the site you are going to contains characters from another language. If you clicked on a link to a site you expected to be in [User's default language], you might be going to a fraudulent site. The questionable characters are highlighted in blue in the address bar above. [x] Do not show this again for Cyrillic language letters"

Users using an english browser could view URLs with known "acceptable" characters in other languages like é, ø and other obvious differences with no problem, but if a user clicks on a link with a known homograph in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get the scary warning of doom.

Novice users may not understand the problem, but the fact that the browser popped up with something would be a good indication that something is wrong. Expert users or those who frequently deal with sites in other languages could whitelist character sets that they use.

Even when a user does whitelist a character set, they would still hopefully notice the obvious color change in the address bar.


-- Kevin