| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 7 Mar 2005 11:52:18 -0800 (PST) From: Benjamin Franz <snowhare@...ongo.org> To: Michael Roitzsch <amalthea@...enet.de> Cc: bugtraq@...urityfocus.com Subject: Re: thoughts and a possible solution on homograph attacks On Mon, 7 Mar 2005, Michael Roitzsch wrote: > Hi security community, > > this is my first publication I post on Bugtraq, so please be patient with me. > > Since the recent problems with IDN, I wanted to clear up my thoughts on > homograph attacks, so I sorted everything in an article which also contains > what I believe to be an easy and general solution. > > You can find it here: > http://www.amalthea.de/publications/homograph.pdf > > Unfortunately, my free time is currently limited, so I may not be able to > participate too much in any discussions on the subject. My appologies for > that. But I will definitely read any feedback I receive. You are far too fast to dismiss the usability criticism. People _WON'T_ participate in a system requiring them to retype the domain name to establish an SSL connection. Additionally, it would fail in the case where a user's locale was (for example) Greek while the site they were connecting to was American. They would type what they perceived to be the domain - and it wouldn't work. A "reverse homograph" failure. It is a technically nice but completely unusable solution. -- Jerry "All right, where is the answer? The battle of wits has begun. It ends when you click and we both serve pages - and find out who is right, and who is slashdotted." - David Brandt
Powered by blists - more mailing lists