LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

Posted Feb 21, 2005 23:35 UTC (Mon) by ballombe (subscriber, #9523)
Parent article: New IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

There will be no solution because the problem is elsewhere: the assumption
that domain name or URL are a secure way to identify a site is flawed.
It has been shown in the past countless times (DNS spoofing, typo domain,
etc.). IDN make things marginaly worse.

(Log in to post comments)

IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

Posted Feb 22, 2005 0:29 UTC (Tue) by clugstj (subscriber, #4020) [Link]

Not quite. IDN makes matters MUCH worse. Buying a domain name that looks just like a well know one is easy, spoofing DNS effectively is much more difficult.

IDN Homograph Spoofing Response: IDN Will Not Be Disabled (MozillaZine)

Posted Feb 22, 2005 16:42 UTC (Tue) by ballombe (subscriber, #9523) [Link]

Buying a domain name that looks just like a well know one is easy even
without IDN. Just use a bit of social engineering when choosing your
domain name and introducing it to the user.

PetNames --- a solution to the Homograph URL and Phishing problem.

Posted Feb 22, 2005 23:05 UTC (Tue) by AnswerGuy (guest, #1256) [Link]

There are possible solutions. None will work for everyone. There are too many people who are way too gullible or lazy. However, there are technical means to mitigate the majority of the problem and give any reasonable competent and motivated person the level of protection they need to avoid being hooked by phishing scams.

I don't have time or space to cover the full range of this dicussion. However, a couple of pointers may serve:

Sorry I don't have time to actually cover the details here. It would be a timely topic for one of LWN's feature articles Hint!, Hint!

Basically the short form of the mozilla component to the solution is to have color coding and "Pet" icons next to those URL references that are "known good" (because they are among your personally configured list of "PetNames"). The details of how URLs get adopted as pets are the tricky part --- just as the whole matter of key management is the hardest challenge of modern cryptography.

JimD

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds