<<< Date Index >>>     <<< Thread Index >>>

Re: Thoughts and a possible solution on homograph attacks



Homograph attacks might be a closed subject but nobody has mentioned this, so
maybe I should. Surely it is possible for a web browser to apply some similar
character mapping rules and react only if it finds something.

Thus if the IDN looks like www.ebay.com on the screen the web browser will
notice www.ebay.com exists, pop up a warning and deny access if you just click
OK. An option safe from those who just click OK without reading anything could
allow access to those websites. 

The best fix would be to stop the registry's granting homograph names to random
people and revoking he existing ones with immediately effect but I do think
this is within the power of bugtraq.


Websites could also help by using cookies valid only for one web request, with
the next working value computable only if you know a secret. Knowing this
secret should require knowing the password, which should never tbe sent
anywhere. This should make it harder to steal cookies and much more difficult
do so without being detected.

If I can implement the above on IE, mozilla and opera using indentical java and
javascript then surely banks can too. There are nasty side effects involving
the back button but these are toleratble and probably fixable. My solution was
only designed to be better than a single fixed value and there are stronger
protocols (for example SRP-6).




--j2JHE1bF010628.1111252443/mail.simpson.demon.co.uk
Content-Type: text/plain

Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."