Re: possible general solution to homograph attacks

Thu, 10 Mar 2005 06:44:37 -0800

Gervase Markham wrote: 
Michael Roitzsch wrote:

If I understand things correctly, you want to have the browser maintain a sort of whitelist of domains the user trusts. Whenever the browser encounters a new SSL domain, the user is asked, if she wants to include it in the list of trusted domains. Have I gotten the idea right?


Nope. I don't think anyone with knowledge of browser UI and/or user behaviour and acceptance would propose such a thing. 

(I also was confused by this...)

What's proposed is a list of trusted (or untrusted) TLDs, set by us. 

So, like a "root list of TLDs".  Well, wouldn't this take
MF back into the judgement business?  As I understand it,
Mozilla doesn't feel all that comfortable about auditing
the CAs, and Frank's emphasis has been on crafting a policy
that neutralises MF as a judgement agency.  That sort of
policy should be dealt with consistently, one would hope.

Also, any solution should try and involve as few players
as possible.  If the TLDs and MF is brought into the
equation, that would make it quite a barrier.  We've
seen how (see Nelson's posts) hard it is to get the
Foundation or the product owners to think about security,
and Frank's efforts are slowed because of resources and
time;  asking for yet another coordination effort could
be tough.

However, even with the discussed concepts in place, there is still the problem with the homograph attacks, because the user has to recognize a text string to decide on trust in a domain. One possibility is to display punycode, but I think I have found a more general solution to homograph attacks: You give the user a text input field below the string to recognize and recommend that the user types in the string he believes to be reading. The computer can then easily verify, if the displayed and the typed string match and react accordingly.


I saw this proposed on Bugtraq; I think the participants there explained quite well why it wouldn't work. But thank you for your input :-) 


reference?

iang
--
News and views on what matters in finance+crypto:
        http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security

Reply via email to