[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[idn] Re: Unicode and Security

To: unicode@unicode.org
Subject: [idn] Re: Unicode and Security
From: Elliotte Rusty Harold <elharo@metalab.unc.edu>
Date: Thu, 7 Feb 2002 13:21:29 -0500
Cc: idn@ops.ietf.org

>On Thu, Feb 07, 2002 at 10:34:20AM -0500, Elliotte Rusty Harold wrote:

>Unicode is a character encoding, not a glyph encoding. Furthermore,
it's
>a superset of a number of preexisting character sets, so that it was
>possible for those users to move to Unicode without problems. Since
>important preexisting character sets seperated Greek, Cyrillic and
Latin
>scripts, Unicode had to. Had Unicode not chosen to follow these
>principles, ISO 10646 would have, and it would have become the dominant
>character set, with the same problems.
>

I know why these choices were made. That has nothing to do with the
question of whether the finished product will or will not cause
security breaches.

>In any case, what is your solution? When the American Mathematical
>Society says "We need a SMALL CIRCLE for the mathematical texts", do
you
>say "no, we already have the unified LATGRKCRY SMALL O"? After they
show
>you that the two are distinct characters in their texts, do you still
>refuse because "someone might get confused"? The Universal Character
Set
>can't afford to not encode characters like that.
>

I'm not sure Unicode can be fixed at this point. The flaws may be too
deeply embedded. The real solution may involve waiting until
companies and people start losing significant amounts of money as a
result of the flaws in Unicode, and then throwing it away and
replacing it with something else. I don't like that solution, but not
liking it doesn't mean it ain't gonna happen as soon as Exxon loses a
few billion dollars because somebody spoofed them and thereby gained
access to their bidding plans for oil leases. Don't be surprised when
some large companies start issuing memos forbidding the use of
Unicode, or blocking all non-ASCII domain names at their firewall.

One possible solution at the domain name system level might be to
limit domain names to a single Unicode block or group. For instance,
Greek domain names could be allowed but not domain names that mix
Greek with Latin. Similarly, you couldn't mix Latin with Cyrillic or
Cyrillic with Greek. That would at least vastly reduce the
possibility for domain spoofing, if not eliminate it entirely.

Interesting tidbit: app1e.com (not APPLE.COM but APP1E.COM) is in
fact already registered. This attack may not be as theoretical as I
initially thought.
--

+-----------------------+------------------------+-------------------+
| Elliotte Rusty Harold | elharo@metalab.unc.edu | Writer/Programmer |
+-----------------------+------------------------+-------------------+
|          The XML Bible, 2nd Edition (Hungry Minds, 2001)           |
|              http://www.ibiblio.org/xml/books/bible2/              |
|   http://www.amazon.com/exec/obidos/ISBN=0764547607/cafeaulaitA/   |
+----------------------------------+---------------------------------+
|  Read Cafe au Lait for Java News:  http://www.cafeaulait.org/      |
|  Read Cafe con Leche for XML News: http://www.ibiblio.org/xml/     |
+----------------------------------+---------------------------------+

Prev by Date: [idn] Re: Unicode and Security
Next by Date: [idn] A question...
Previous by thread: [idn] Re: Unicode and Security
Next by thread: [idn] RE: Unicode and Security
Index(es):
- Date
- Thread