Re: thoughts and a possible solution on homograph attacks

[Thomas Wana <thomas@xxxxxxx>]

Michael Roitzsch wrote:
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf

Quote from the abovementioned paper:
"I propose to present the user with a dialog showing the text to be validated 
and
an input field, into which the user has to type in the given text again. The 
user
is told, if both texts match precisely and what this means: If the typed text's
internal representation matches the given text bit-by-bit, trust can be 
established.
If it does not match, the user is told to re-check for typing errors and not to
establish trust."

You completely seem to forget to think about user *acceptance*. Noone
will accept such a "solution". If I think of me alone I would hate to
enter the domain name once I click on a link. And obviously this would
have to be done for *every* link the user clicks, or how would you
technically distinguish between a trustable and non-trustable URL. Heck,
that's actually the root of the problem ...

Tom