Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Michal Zalewski (lcamtufcoredump.cx)
Date: Fri Feb 20 2009 - 05:31:41 CST
> However, the countermeasures browsers have implemented are trivial to bypass.
> It only took me an hour to find a number of variations of the homograph attack
> that still work. Here's a spoofed google.com page (over SSL for bonus points)
> that works on the latest version of Firefox 3 on Mac OS X:
Ugh, it sucks if Firefox still falls for this with the typefaces the
URL is displayed with on MacOS X. Does not seem to work in MSIE7,
Safari, Opera, or Chrome - though their mechanisms are also far from
being perfect (simply because there is no particularly decent
> It's been years since browser vendors were first made aware of the homograph
> attacks and there is still no good solution. Perhaps it's time to scrap IDN
> and try a different approach?
Well, from a security standpoint, IDN was a poorly thought out /
underspecified idea, and also one that was rendered nearly useless by
the security restrictions imposed later on - or at least, spare for a
couple of odds and ends, I do not see it being used in Latin alphabet
countries in appreciable numbers.
...but ditto for most other browser mechanism, including cross-domain
interactions (XSRF, "clickjacking"), same-origin policy (which not
only has several incompatible flavors, but is a grossly insufficient
as a security mechanism *AND* proves to be a major obstacle for
developers - quite a feat)... content sniffing, globalStorage, HTTP /
HTML / cookie parsing ambiguities, and a lot more... (in fact, about
80% of BSH is "oh God, what were they thinking?")...
...and ditto for pretty much every other core technology behind the
Internet (DNS, SMTP, anyone?). Good and incompatible alternatives are
easy to propose, but seems like in the end, we are very little to fix
the systemic failures through decades, so I'm not getting my hopes up
for replacing IDN with a better alternative any time soon.
Dailydave mailing list