Elliotte Rusty Harold started it all by saying:
> ... until the Unicode consortium addresses at
> a root level the real security implications of their work, security
> conscious developers will look elsewhere. (I notice the Unicode 3.0
> book does not even have the word "security" in its index.)
I would like to suggest the following, to alert developers who need to
consider the security implications of spoofable characters, and to
forestall claims that Unicode is oblivious to security concerns:
A future version of the Unicode Standard should include a (very brief)
subsection on "Security Issues," analogous to the brief subsection
normally found in RFCs. This should contain the following points:
1. Unicode encodes characters, not glyphs.
2. Unicode contains many "confusables," that is, characters whose
glyphs, due to historical derivation or sheer luck, resemble each other
in certain contexts.
3. Certain security-sensitive applications or systems may be vulnerable
due to possible human misinterpretation of these confusables.
4. Many legacy character sets, including ISO 8859-1, also contain
confusables (albeit fewer of them) and carry the same security risks.
5. These security concerns are the responsibility of the individual
application or system, not Unicode or any other character encoding.
As a side note, I appreciate the fact that my term "spoof buddies" has
gained some currency on this list, but when the time comes to write this
"Security" disclaimer, the more professional-sounding term "confusables"
should probably be used instead.
-Doug Ewell
Fullerton, California
This archive was generated by hypermail 2.1.2 : Fri Feb 15 2002 - 03:13:32 EST