Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: thoughts and a possible solution on homograph attacks

From: Thomas Wana <thomas () wana at>
Date: Mon, 07 Mar 2005 20:54:39 +0100
Michael Roitzsch wrote:

You can find it here:
http://www.amalthea.de/publications/homograph.pdf


Quote from the abovementioned paper:
"I propose to present the user with a dialog showing the text to be validated and
an input field, into which the user has to type in the given text again. The user
is told, if both texts match precisely and what this means: If the typed text's
internal representation matches the given text bit-by-bit, trust can be established.
If it does not match, the user is told to re-check for typing errors and not to
establish trust."

You completely seem to forget to think about user *acceptance*. Noone
will accept such a "solution". If I think of me alone I would hate to
enter the domain name once I click on a link. And obviously this would
have to be done for *every* link the user clicks, or how would you
technically distinguish between a trustable and non-trustable URL. Heck,
that's actually the root of the problem ...

Tom
Previous By Date Next
Previous By Thread Next

Current thread: