Re: thoughts and a possible solution on homograph attacks
On Mon, 7 Mar 2005, Michael Roitzsch wrote:
> Hi security community,
>
> this is my first publication I post on Bugtraq, so please be patient with me.
>
> Since the recent problems with IDN, I wanted to clear up my thoughts on
> homograph attacks, so I sorted everything in an article which also contains
> what I believe to be an easy and general solution.
Quote from your .pdf:
> I propose to present the user with a dialog showing the text to be
> validated and an input field, into which the user has to type in the given
> text again. The user is told, if both texts match precisely and what this
> means: If the typed text's internal representation matches the given text
> bit-by-bit, trust can be established. If it does not match, the user is
> told to re-check for typing errors and not to establish trust.
What you propose is the same as entering the password for each
site you visit. Yes, this IS a solution, but it is TOO DISTURBING for
users. Web surfers usually do hundreds (or thousands?) clicks per day,
and at least dozens of them are cross-site. And forcing them to type
domain's name each time is just not the way to go.
Domain names AREN'T passwords, they exist to be memorable.
Remember: users are lazy, and >90% home installs of Windows have
autologin enabled -- no usernames, no passwords. If the users are SO
lazy, they would definitely object to entering a long domain names by
their fingers.
However, there CAN be a solution for a tiny real-world subset of
"homograph attacks" problem -- the web browsers interface. My idea
is the following:
Domain names are usually written as text strings of "default
interface colors". But the browser can highlight non-ASCII
glyphs by some different background, so that even a
security-unconscious user would pay attention.
For example, if regular "URL text" colors are black-on-white, the
browser can highlight greek letters (U+0380-U+03FF) with light-blue
background, cyrillics (U+0400-U+04FF) -- with red, and all other non-ASCII
(or non-ISO8859-1) characters -- with yellow.
Such three-color highlight seems to be enough, since most
looking-identical-to-latin glyphs are in greek and cyrillc alphabets, and
the "catch-all" yellow will satisfy all other cases.
P.S. My native language is russian, so the alphabet is cyrillic. Since
cyrillic has ~30% letters looking identical to latin (but often
pronounced differently), and having different Unicode positions, it
was obvious years ago that IDN was very poorly thought. It is a big
mistake from both security and marketing points of view.
And this problem of homograpgh attacks in a general form can have no
solution at all, just because of this problem's nature. There are
cases in a real life when a russian-speaking (to be correct, a
cyrillic-based-language-speaking) person can't determine which
language some word is spelled in. For example, ask some
russian-speaker how would he or she read "nona" (that's a real name
of a hotel in Bulgaria, which causes constant fun for russian
tourists).
Just my two cents...
_________________________________________
Dmitry Yu. Bolkhovityanov
The Budker Institute of Nuclear Physics
Novosibirsk, Russia