Bugtraq mailing list archives
Re: houghts and a possible solution on homograph attacks
From: Sven Putteneers <svennieboy () linux be>
Date: Tue, 8 Mar 2005 19:50:36 +0100
On Mon, 7 Mar 2005 at 15:05:51 -0500, Scovetta, Michael V(Michael.Scovetta () ca com) wrote:
<plug> I've released a "fix" for the IDN vulnerability (www.scovettalabs.com/advisory/SCL-2005.002.txt) that basically prevents you from going to *any* domain that has a non-[\-A-Z0-9] character in it. For me, it's fine, since I'll likely never need to go to an IDN domain. </plug>
If this patch would be widely used, we'd lose the all the advantages associated with IDN. Maybe it's better to attack this problem on the browser side and have a configuration switch to enable or disable IDN. We could disable it as a "reasonable default", but those who need it, could enable it. Upon enabling the option, a warning dialog could pop up that warns the user about the security problems associated with IDN ("don't enable this unless you know what you're doing" stuff). That way the majority of the users would be safe from IDN attacks (phishing comes to mind) and those who really want IDN would have to click through a warning dialog telling them why enabling it may not be such a good idea. Just my €0.02, Sven -- Encrypted mail preferred. As of Jan 27th 2005, all outgoing mail is signed. GPG keyID: 0x66A13305 GPG key fingerprint: 5B8C 97A2 20C4 E578 CDEB 71C9 23CA 0681 66A1 3305 GPG key URL: http://werner.sytes.net/~svenniboy/gpg_pubkey.asc
Attachment:
_bin
Description:
Current thread:
- Re: thoughts and a possible solution on homograph attacks, (continued)
- Re: thoughts and a possible solution on homograph attacks Kevin Day (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Michael Roitzsch (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Denis Jedig (Mar 08)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- Re: thoughts and a possible solution on homograph attacks James Youngman (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Thomas Wana (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Benjamin Franz (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks Valdis . Kletnieks (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks khockenb (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 16)
- Re: thoughts and a possible solution on homograph attacks Kevin Day (Mar 07)
- Re: Thoughts and a possible solution on homograph attacks Nick FitzGerald (Mar 22)