Bugtraq mailing list archives
Re: thoughts and a possible solution on homograph attacks
From: Michael Roitzsch <amalthea () freenet de>
Date: Tue, 8 Mar 2005 13:21:44 +0100
Hi, since a lot of people have raised doubt on the usability problems of my solution: I am perfectly aware of them. I just don't think it is too hard to type a domain name the first time you visit an SSL encrypted site. Some end-user phishing checklists even advise you to type the domain you want to visit. My solution would just enforce that. Bet let's see if we cannot combine several solutions:
What would (to me) make more sense is if the browser made it more clear that a homograph was being used. In the address bar, any character that's not from the user's language character set(or family of languages possibly) would appear as a different color. Maybe make the foreign characters red, or the background color around each foreign character blue or something.You have come to the same idea as I did :-) (hope my post to Bugtraq will pass the moderation), just with a different flavor. That's a good sign for me, and this kind of solution seems to be not-so-hard to implement.
I like the solution, too. It clearly improves the current situation. However, it has another usability problem: It won't work for the colourblind or those using black and white only because they need high contrast. Some users might not even have an address bar in their browser, maybe because they got distracted by all the weird characters and disabled it. I also see the problem that users don't look at the address bar and actually read the address careful enough. I usually don't. A quick look at the padlock icon is already asked too much for some users. So why not combine all the solutions: The browser maintains a whitelist of trusted domains. Whenever a domain is visited which offers SSL, but is not in the whitelist, the browser will notify the user somehow (either by a dialog or in a non-modal way, maybe a flashing padlock icon). The user can choose to ignore the notification or follow up on it. The user is then presented with the possibility to whitelist the domain with his choice of visually verifying the domain name (with coloured characters) or typing it in to be safe. The dialog's text can explain this. Michael -- LOAD "WIN95",8,1 RUN
Current thread:
- thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Michael Silk (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Kevin Day (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- <Possible follow-ups>
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)