In a distributed system without a central directory, entities cannot choose their own unique names: there is no collision resolution mechanism. E.g., Tor hidden services. SSH host fingerprints.
However, by generating millions of names, an adversary may search for a name which agrees with the first few bits/letters of another service it is trying to spoof. The first few bits may be sufficient to fool a humans who find it difficult to compare long random strings.
Avoid the problem by having every browser transform (rehash) a marked-up random string before displaying it. The transformation is constant within a particular user's browser: the same base string is always rendered the same way. But different users, instances of a browser, have different transformations. Implement with a keyed hash function. Therefore a spoofer cannot generate a string which will look similar to a target across all users.
Some UI support is needed: I'm imagining that a random string, marked up to alert the browser it is one, will be rendered as a dynamically generated graphic. (Some blogs already do this for avatars.) If a user clicks or selects the graphic for cut and paste, perhaps to refer to the identity in text, then the original base string is copied to the clipboard, suitably marked up.
see also Coloring URLs
No comments :
Post a Comment