[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[idn] RE: Unicode and Security
<DC504E9C3384054C8506D3E6BB012460077443@bsebe001.NOE.Nokia.com>
From: <jarkko.hietaniemi@nokia.com>
To: <elharo@metalab.unc.edu>, <unicode@unicode.org>
Cc: <idn@ops.ietf.org>
Sender: owner-idn@ops.ietf.org
Precedence: bulk
> I'm not sure Unicode can be fixed at this point. The flaws may be
too
> deeply embedded. The real solution may involve waiting until
> companies and people start losing significant amounts of money as a
> result of the flaws in Unicode, and then throwing it away and
> replacing it with something else. I don't like that solution, but
not
> liking it doesn't mean it ain't gonna happen as soon as Exxon loses
a
> few billion dollars because somebody spoofed them and thereby
gained
> access to their bidding plans for oil leases. Don't be surprised
when
> some large companies start issuing memos forbidding the use of
> Unicode, or blocking all non-ASCII domain names at their firewall.
"Doom! Doom! Doom! End is nigh, repent ye sinners!"
> Interesting tidbit: app1e.com (not APPLE.COM but APP1E.COM) is in
> fact already registered. This attack may not be as theoretical as I
> initially thought.
Interestingly enough, I find this (and whitehouse.com and whitehouse.org,
and micros0ft.com, and ...) a good example for Unicode being largely irrelevant.
Sure, Unicode gives more possibilities for abuse, but I fail to see how
a character
encoding standard can stop people from being stupid and not using public
keys or
some other means of trust in cases where it matters. Analogously, people will
keep opening executable attachments promising sex, regardless of whether
the
's', 'e', and 'x' are Latin letters or not.