Bugtraq mailing list archives
Re: Thoughts and a possible solution on homograph attacks
From: Duncan Simpson <dps () simpson demon co uk>
Date: Sun, 20 Mar 2005 15:07:27 +0000
Homograph attacks might be a closed subject but nobody has mentioned this, so maybe I should. Surely it is possible for a web browser to apply some similar character mapping rules and react only if it finds something. Thus if the IDN looks like www.ebay.com on the screen the web browser will notice www.ebay.com exists, pop up a warning and deny access if you just click OK. An option safe from those who just click OK without reading anything could allow access to those websites. The best fix would be to stop the registry's granting homograph names to random people and revoking he existing ones with immediately effect but I do think this is within the power of bugtraq. Websites could also help by using cookies valid only for one web request, with the next working value computable only if you know a secret. Knowing this secret should require knowing the password, which should never tbe sent anywhere. This should make it harder to steal cookies and much more difficult do so without being detected. If I can implement the above on IE, mozilla and opera using indentical java and javascript then surely banks can too. There are nasty side effects involving the back button but these are toleratble and probably fixable. My solution was only designed to be better than a single fixed value and there are stronger protocols (for example SRP-6). --j2JHE1bF010628.1111252443/mail.simpson.demon.co.uk Content-Type: text/plain Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Current thread:
- Re: thoughts and a possible solution on homograph attacks, (continued)
- Re: thoughts and a possible solution on homograph attacks Dmitry Yu. Bolkhovityanov (Mar 08)
- RE: thoughts and a possible solution on homograph attacks Scovetta, Michael V (Mar 07)
- Re: thoughts and a possible solution on homograph attacks Mike Nice (Mar 08)
- Re: houghts and a possible solution on homograph attacks Sven Putteneers (Mar 08)
- Re: houghts and a possible solution on homograph attacks Nick FitzGerald (Mar 10)
- Re: Thoughts and a possible solution on homograph attacks Paul Smith (Mar 12)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks Valdis . Kletnieks (Mar 15)
- Re: Thoughts and a possible solution on homograph attacks khockenb (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Riccardo Murri (Mar 16)
- Re: Thoughts and a possible solution on homograph attacks Nick FitzGerald (Mar 22)