Re: thoughts and a possible solution on homograph attacks

[Kevin Day <toasty () dragondata com>]

On Mar 7, 2005, at 11:25 AM, Michael Roitzsch wrote:

> Hi security community,
>
> this is my first publication I post on Bugtraq, so please be patient 
> with me.
>
> Since the recent problems with IDN, I wanted to clear up my thoughts on
> homograph attacks, so I sorted everything in an article which also 
> contains
> what I believe to be an easy and general solution.
>
> You can find it here:
> http://www.amalthea.de/publications/homograph.pdf
>
> Unfortunately, my free time is currently limited, so I may not be able 
> to
> participate too much in any discussions on the subject. My appologies 
> for
> that. But I will definitely read any feedback I receive.
>
> Michael Roitzsch

That's an interesting idea, but it sounds kinda complicated and 
burdensome on the user. It would be hard sell to make that the default 
behavior in any browser if users aren't accustomed to dealing with it. 
It's incredibly difficult to convince a user that adding more work to 
them is somehow an improvement on things.


What would (to me) make more sense is if the browser made it more clear 
that a homograph was being used.

In the address bar, any character that's not from the user's language 
character set(or family of languages possibly) would appear as a 
different color. Maybe make the foreign characters red, or the 
background color around each foreign character blue or something.

It still would require a bit of user education, but maybe the first 
time it happened the browser can pop up with "The address of the site 
you are going to contains characters from another language. If you 
clicked on a link to a site you expected to be in [User's default 
language], you might be going to a fraudulent site. The questionable 
characters are highlighted in blue in the address bar above. [x] Do not 
show this again for Cyrillic language letters"

Users using an english browser could view URLs with known "acceptable" 
characters in other languages like é, ø and other obvious differences 
with no problem, but if a user clicks on a link with a known homograph 
in another character set (like #0430 - CYRILLIC SMALL LETTER A) they 
get the scary warning of doom.

Novice users may not understand the problem, but the fact that the 
browser popped up with something would be a good indication that 
something is wrong. Expert users or those who frequently deal with 
sites in other languages could whitelist character sets that they use.

Even when a user does whitelist a character set, they would still 
hopefully notice the obvious color change in the address bar.


-- Kevin