Bugtraq mailing list archives
Re: thoughts and a possible solution on homograph attacks
From: Denis Jedig <seclists () syneticon de>
Date: Tue, 08 Mar 2005 12:35:48 +0100
Kevin Day wrote:
character set(or family of languages possibly) would appear as a different color. Maybe make the foreign characters red, or the background color around each foreign character blue or something.
This actually will have to be understood by the user. While the idea to make all characters in the unicode character set *look* different is fine, you again will end up with the acceptance problem (wow, look at the fancy red "a" in ebay.com, I like colours in my address bar). By the way, using the "revert to plain punycode in address bar" approach, you'd achieve very much the same goal but have a better user acceptance - a weird looking URI looks much more scary than a coloured URI.
Users using an english browser could view URLs with known "acceptable" characters in other languages like é, ø and other obvious differences with no problem, but if a user clicks on a link with a known homograph in another character set (like #0430 - CYRILLIC SMALL LETTER A) they get the scary warning of doom.
This would require one to have a database with known homographs within the unicode charset. It's not trivial to solve since the "does character x look like character y?" question cannot be sufficiently answered without knowing what the font looks like that is representing the string on users screen.
Even when a user does whitelist a character set, they would still hopefully notice the obvious color change in the address bar.
Just to catch up your thoughts: It might be more convinient to define a locale which contains all characters used in a single language (e.g. [A-Za-z0-9äöüÄÖÜß] for German, [A-Za-z0-9áÁéÉàÀèÈâÂêÊ] for French) and pop up a warning whenever DIFF[German, French] characters belonging to different locales are used in the same string, e.g http://äà.com Obviously, this will have its problems where the intention is to mix charsets up - for example if the marketing monkey says "it's absolutely necessary to mix up our english web site URI with chinese han symbols" because it looks cooler. Denis Jedig syneticon GbR
Current thread:
- thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Michael Silk (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Kevin Day (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- <Possible follow-ups>
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)