Michael, I don't think this solution is appropriate at all. (For those that didn't read the PDF, the idea is to have the user _type in_ the domain name of a url they clicked on). Clearly, this won't work at all from a users point of view. It would be far too annoying. Your saving scenario is also not very appropriate, because consider if a malicious user on that persons computer saves 'bank1.com' to map to 'hackerbank1.com'. The problems become obvious. As for a solution to the problem, perhaps browsers can just notify the user when a domain they clicked contains unicode characters, and display the URL in some special fashion. (I can't think of anything that would be appropriate, however :) -- Michael (Silk) On Mon, 7 Mar 2005 18:25:31 +0100, Michael Roitzsch <amalthea@xxxxxxxxxx> wrote: > Hi security community, > > this is my first publication I post on Bugtraq, so please be patient with me. > > Since the recent problems with IDN, I wanted to clear up my thoughts on > homograph attacks, so I sorted everything in an article which also contains > what I believe to be an easy and general solution. > > You can find it here: > http://www.amalthea.de/publications/homograph.pdf > > Unfortunately, my free time is currently limited, so I may not be able to > participate too much in any discussions on the subject. My appologies for > that. But I will definitely read any feedback I receive. > > Michael Roitzsch > -- Please adjust the reply-to address.
