Re: thoughts and a possible solution on homograph attacks
On Mon, 7 Mar 2005, Kevin Day wrote:
> What would (to me) make more sense is if the browser made it more clear
> that a homograph was being used.
>
> In the address bar, any character that's not from the user's language
> character set(or family of languages possibly) would appear as a
> different color. Maybe make the foreign characters red, or the
> background color around each foreign character blue or something.
You have come to the same idea as I did :-) (hope my post to
Bugtraq will pass the moderation), just with a different flavor. That's a
good sign for me, and this kind of solution seems to be not-so-hard to
implement.
> It still would require a bit of user education, but maybe the first
> time it happened the browser can pop up with "The address of the site
> you are going to contains characters from another language. If you
> clicked on a link to a site you expected to be in [User's default
> language],
A small addition: not "language", but "languages". And, may be
even more -- "character set". For example, russian-speaking users
currently use only latin letters, as all the world do. And if IDN
somewhen becomes common, they would have to use a mixture of latin and
cyrillic letters.
(I hope IBM wold be clever enough to grab the "IBM.com" domains,
where "B" is "cyrillic capital VE" and/or "M" is "cyrillic capital M". :-)
> you might be going to a fraudulent site. The questionable
> characters are highlighted in blue in the address bar above. [x] Do not
> show this again for Cyrillic language letters"
Unfortunately, most users in case of such warnings blindly press
[Ok] not even trying to read what they are warned about. And if there is
a "[x] Don't show this again..." option, they will immediately swith it
on. So, such switchable-off protection would in fact become illusory...
_________________________________________
Dmitry Yu. Bolkhovityanov
The Budker Institute of Nuclear Physics
Novosibirsk, Russia