Re: HomoGraph Attack – Shift Blame to the User?

Evan de Riel derieev at earlham.edu
Wed Mar 16 07:29:54 PST 2005 

On Wednesday, Mar 16, 2005, at 08:43 America/Indianapolis, Manfred 
Schubert wrote:

> With regard to the homograph "attack":
>
> OmniWeb shows the site icon before the URL. For a Unicode URL how 
> about showing a "Unicode symbol" next to the site icon and before the 
> URL? Let's say a red square with a white U in it or something like 
> that. Maybe even make the  background of the URL field change colour 
> like Forefox does for secure web pages. Secure pages in Firefox become 
> yellow, Unicode URLs could become red or blue or so.
>
> That way it would be possible for the user to recognize that he is 
> viewing a Unicode URL web page and he can check it further (for 
> example clicking the U symbol could reveal the "real" address). If the 
> user doesn't check he is to blame again; the browser is arguably > fixed.

I would argue that it is isn't fixed.  How often do you check your 
HTTPS certs to make sure they're valid?  It's a bit of a different 
case, but the essential point remains the same: you oughtn't blame the 
user for ever not doing something, especially if 90% of the time it 
ends up being something trivial and routine, i.e. www.papier-mâché.com 
becomes www.papier-mache.fr.  After about 50 of those, no one is going 
to bother clicking on the box to be shown something they already know.

It's the same problem with MS ActiveX dialogs.  Sure, you can be 
defensive and click and "No" on all of them, but then your browser 
misses out on a lot of functionality like Flash, Real Media (ugh), etc. 
  So even though the user clicks "Yes, Download and Execute the 
untrusted content and watch it turn my system into a spam portal" he's 
not really at fault.  Any security precaution that either is noticeably 
a false alarm nine times out of ten, or needs to be routinely 
over-ridden for essentially basic functionality, is a flawed security 
precaution.

IMHO, the simplest option is for everyone to disable IDN by default and 
refuse to re-enable it for any reason.  If no one implements it, no one 
will use it.  The second-best option is to do like (I think) Firefox 
does: simply display the ascii url instead of the unicode one.

Since the former is unlikely and latter probably unpopular, an elegant 
solution would be to use Unicode normalization on all DNS/IDN 
registrations.  I'm certainly no expert on this, but I think NFKC or 
NFKD would do the job.  Unfortunately, this is vastly more work than 
the other two options, and the Unicode Consortium is still prone to 
changing these things.

Evan

More information about the OmniWeb-l mailing list