In response to possible scam
In response to the article by Yahoo, regarding unicode characters which mimic genuine site names the obvious solution is to use a highlight system on all abnormal symbols.
e.g. if the browser was to see anything outside the range of ASCII codes....then just hightlight the chars....or bring up an alert....asking the user to check the certificate!
ọ could be highlighted to show its not same as o. i.e www.oooọooo.com becomes www.oooọooo.com
" A fix won't be easy because the vulnerability, publicized at a weekend hacker conference, that enables so-called "phishing" scams involves a feature, not a coding error."
All of these phishing scams involve some aspect of tricking the human by virtue of the flaws with human sight / lack of precision.... so the obvious solution is give the tools to the end user to decide....dont let the code run in the background blocking all these sites..... furthermore, as most people are unlikely to be using more than 3-4 sites where they deem security to be of utmost importance...(a few bank accounts / email accounts / other stuff) then y not just add a feature to make these trusted....
Updated :
oops slight misunderstanding i think....i thought they would allow u to have any char.... instead i think now that they will have same chars....but cos the same char e.g "a" has different codes in Unicode and other maps like Cyrillic then the computer would know...but the human would see no difference...
" Engineers have rallied around a character system called Unicode. The newly discovered exploit takes advantage of the fact that characters that look alike can have two separate codes in Unicode and thus appear to the computer as different. For example, Unicode for "a" is 97 under the Latin alphabet, but 1072 in Cyrillic." (I would like to add that is 61 and 430 in Hex respectively....try it in Windows char map...under advanced)
But still my argument regarding highlighting holds up....cos it shows the user that they are different!
e.g. if the browser was to see anything outside the range of ASCII codes....then just hightlight the chars....or bring up an alert....asking the user to check the certificate!
ọ could be highlighted to show its not same as o. i.e www.oooọooo.com becomes www.oooọooo.com
" A fix won't be easy because the vulnerability, publicized at a weekend hacker conference, that enables so-called "phishing" scams involves a feature, not a coding error."
All of these phishing scams involve some aspect of tricking the human by virtue of the flaws with human sight / lack of precision.... so the obvious solution is give the tools to the end user to decide....dont let the code run in the background blocking all these sites..... furthermore, as most people are unlikely to be using more than 3-4 sites where they deem security to be of utmost importance...(a few bank accounts / email accounts / other stuff) then y not just add a feature to make these trusted....
Updated :
oops slight misunderstanding i think....i thought they would allow u to have any char.... instead i think now that they will have same chars....but cos the same char e.g "a" has different codes in Unicode and other maps like Cyrillic then the computer would know...but the human would see no difference...
" Engineers have rallied around a character system called Unicode. The newly discovered exploit takes advantage of the fact that characters that look alike can have two separate codes in Unicode and thus appear to the computer as different. For example, Unicode for "a" is 97 under the Latin alphabet, but 1072 in Cyrillic." (I would like to add that is 61 and 430 in Hex respectively....try it in Windows char map...under advanced)
But still my argument regarding highlighting holds up....cos it shows the user that they are different!
posted by Utills at
Monday, February 07, 2005
0 Comments:
Post a Comment
<< Home