Homograph attacks might be a closed subject but nobody has mentioned this, so maybe I should. Surely it is possible for a web browser to apply some similar character mapping rules and react only if it finds something. Thus if the IDN looks like www.ebay.com on the screen the web browser will notice www.ebay.com exists, pop up a warning and deny access if you just click OK. An option safe from those who just click OK without reading anything could allow access to those websites. The best fix would be to stop the registry's granting homograph names to random people and revoking he existing ones with immediately effect but I do think this is within the power of bugtraq. Websites could also help by using cookies valid only for one web request, with the next working value computable only if you know a secret. Knowing this secret should require knowing the password, which should never tbe sent anywhere. This should make it harder to steal cookies and much more difficult do so without being detected. If I can implement the above on IE, mozilla and opera using indentical java and javascript then surely banks can too. There are nasty side effects involving the back button but these are toleratble and probably fixable. My solution was only designed to be better than a single fixed value and there are stronger protocols (for example SRP-6). --j2JHE1bF010628.1111252443/mail.simpson.demon.co.uk Content-Type: text/plain Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
