Re: thoughts and a possible solution on homograph attacks

To: "Dmitry Yu. Bolkhovityanov" <D.Yu.Bolkhovityanov@xxxxxxxxxx>
Subject: Re: thoughts and a possible solution on homograph attacks
From: Michael Roitzsch <amalthea@xxxxxxxxxx>
Date: Tue, 8 Mar 2005 13:21:44 +0100
Cc: Kevin Day <toasty@xxxxxxxxxxxxxx>, bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <Pine.SGI.4.10.10503081211320.1149940-100000@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.SGI.4.10.10503081211320.1149940-100000@xxxxxxxxxxxxxx>
User-agent: KMail/1.6.2

Hi,

since a lot of people have raised doubt on the usability problems of my 
solution: I am perfectly aware of them. I just don't think it is too hard to 
type a domain name the first time you visit an SSL encrypted site. Some 
end-user phishing checklists even advise you to type the domain you want to 
visit. My solution would just enforce that.

Bet let's see if we cannot combine several solutions:

> > What would (to me) make more sense is if the browser made it more clear
> > that a homograph was being used.
> >
> > In the address bar, any character that's not from the user's language
> > character set(or family of languages possibly) would appear as a
> > different color. Maybe make the foreign characters red, or the
> > background color around each foreign character blue or something.
>
>       You have come to the same idea as I did :-) (hope my post to
> Bugtraq will pass the moderation), just with a different flavor.  That's a
> good sign for me, and this kind of solution seems to be not-so-hard to
> implement.

I like the solution, too. It clearly improves the current situation.

However, it has another usability problem: It won't work for the colourblind 
or those using black and white only because they need high contrast. Some 
users might not even have an address bar in their browser, maybe because they 
got distracted by all the weird characters and disabled it.

I also see the problem that users don't look at the address bar and actually 
read the address careful enough. I usually don't. A quick look at the padlock 
icon is already asked too much for some users.

So why not combine all the solutions: The browser maintains a whitelist of 
trusted domains. Whenever a domain is visited which offers SSL, but is not in 
the whitelist, the browser will notify the user somehow (either by a dialog 
or in a non-modal way, maybe a flashing padlock icon). The user can choose to 
ignore the notification or follow up on it. The user is then presented with 
the possibility to whitelist the domain with his choice of visually verifying 
the domain name (with coloured characters) or typing it in to be safe. The 
dialog's text can explain this.

Michael

-- 
LOAD "WIN95",8,1
RUN

References:
- Re: thoughts and a possible solution on homograph attacks
  - From: Dmitry Yu. Bolkhovityanov

Prev by Date: Re: thoughts and a possible solution on homograph attacks
Next by Date: Re: thoughts and a possible solution on homograph attacks
Previous by thread: Re: thoughts and a possible solution on homograph attacks
Next by thread: Re: thoughts and a possible solution on homograph attacks
Index(es):
- Date
- Thread