If I understand things correctly, you want to have the browser maintain a sort of whitelist of domains the user trusts. Whenever the browser encounters a new SSL domain, the user is asked, if she wants to include it in the list of trusted domains. Have I gotten the idea right?
Nope. I don't think anyone with knowledge of browser UI and/or user behaviour and acceptance would propose such a thing.
What's proposed is a list of trusted (or untrusted) TLDs, set by us.
However, even with the discussed concepts in place, there is still the problem with the homograph attacks, because the user has to recognize a text string to decide on trust in a domain. One possibility is to display punycode, but I think I have found a more general solution to homograph attacks: You give the user a text input field below the string to recognize and recommend that the user types in the string he believes to be reading. The computer can then easily verify, if the displayed and the typed string match and react accordingly.
I saw this proposed on Bugtraq; I think the participants there explained quite well why it wouldn't work. But thank you for your input :-)
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
