<<< Date Index >>>     <<< Thread Index >>>

Re: thoughts and a possible solution on homograph attacks



On Mon, 7 Mar 2005, Michael Roitzsch wrote:

Hi security community,

this is my first publication I post on Bugtraq, so please be patient with me.

Since the recent problems with IDN, I wanted to clear up my thoughts on
homograph attacks, so I sorted everything in an article which also contains
what I believe to be an easy and general solution.

You can find it here:
http://www.amalthea.de/publications/homograph.pdf

Unfortunately, my free time is currently limited, so I may not be able to
participate too much in any discussions on the subject. My appologies for
that. But I will definitely read any feedback I receive.

You are far too fast to dismiss the usability criticism. People _WON'T_ participate in a system requiring them to retype the domain name to establish an SSL connection. Additionally, it would fail in the case where a user's locale was (for example) Greek while the site they were connecting to was American. They would type what they perceived to be the domain - and it wouldn't work. A "reverse homograph" failure.

It is a technically nice but completely unusable solution.

--
Jerry

"All right, where is the answer? The battle of wits has begun.
It ends when you click and we both serve pages - and find out who is right,
and who is slashdotted." - David Brandt