Re: Unicode and Security

From: James E. Agenbroad (jage@loc.gov)
Date: Thu Feb 07 2002 - 16:31:44 EST

Previous message: Kenneth Whistler: "Re: Unicode and Security"
In reply to: Michael Everson: "Re: Unicode and Security"
Next in thread: Elliotte Rusty Harold: "Re: Unicode and Security"
Next in thread: David Starner: "Re: Unicode and Security"
Reply: Elliotte Rusty Harold: "Re: Unicode and Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

                                             Thursday, February 7, 2002
Would making the about to be misled respondent type the address of the
intended person (with a roman 'o', not a greek omicron) and then having
the system see if they match detect and thwart such tricks? The
respondent is already typing so it's not a large extra burden.
     Regards,
          Jim Agenbroad (dislcaimer and addresses at bottom)
On Thu, 7 Feb 2002, Michael Everson wrote:

> At 12:22 -0500 2002-02-07, Elliotte Rusty Harold wrote:
> >
> >For the sake of argument, let's call the company they work at
> >Microsoft, but this attack could hit most companies with a .com
> >address. Let's say I register microsoft.com, only the fifth letter
> >isn't a lower-case Latin o. It's actually a lower case Greek
> >omicron. I then forge a believable letter from alice@microsoft.com
> >to bob@microsoft.com saying "Can you please update me on your
> >budget?" Bob, noticing that the e-mail appears to come from Alice,
> >whom he knows and trusts, fires off a reply with his confidential
> >information. Only it doesn't go to Alice. It goes to me. I can then
> >reply to Bob, asking for clarification or more details. I can ask
> >him to attach the latest build of his software. I can carry on a
> >conversation in which Bob believes me to be Alice and spills his
> >guts. This is very, very bad.
>
> It isn't Unicode's fault that some letters look like others. That's a
> fault of history.
>
> --
> Michael Everson *** Everson Typography *** http://www.evertype.com
>
>

     Regards,
          Jim Agenbroad ( jage@LOC.gov )
     "It is not true that people stop pursuing their dreams because they
grow old, they grow old because they stop pursuing their dreams." Adapted
from a letter by Gabriel Garcia Marquez.
     The above are purely personal opinions, not necessarily the official
views of any government or any agency of any.
     Addresses: Office: Phone: 202 707-9612; Fax: 202 707-0955; US
mail: I.T.S. Sys.Dev.Gp.4, Library of Congress, 101 Independence Ave. SE,
Washington, D.C. 20540-9334 U.S.A.
Home: Phone: 301 946-7326; US mail: Box 291, Garrett Park, MD 20896.

Previous message: Kenneth Whistler: "Re: Unicode and Security"
In reply to: Michael Everson: "Re: Unicode and Security"
Next in thread: Elliotte Rusty Harold: "Re: Unicode and Security"
Next in thread: David Starner: "Re: Unicode and Security"
Reply: Elliotte Rusty Harold: "Re: Unicode and Security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2.1.2 : Thu Feb 07 2002 - 16:13:17 EST