OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dan Kaminsky (dankamincisco.com)
Date: Wed Jun 06 2001 - 19:26:10 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > Novell Groupwise has similar problems with displaying the address book
    > "name" instead of the address (though Groupwise is *not* vulnerable to the
    > same attack that forces the spoofed entry into the address book). It would
    > be nice if these email systems would always display both the name and the
    > address. Perhaps use both different colors, and the familiar <> construct,
    > e.g. "myfriendgood.example.org <attackerevil.example.net>" the way
    > other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.

    Good example of how user interface theory can be critical to resolving
    security concerns.

    Full name/address expansion works very badly when there's a decently sized
    list of people receiving emails; instead of a mailing list reading:

    Alice, Bob, Charlie, Mallory

    You have:

    Alice <alicefoo.com>, Bob <bobbar.com>, Charlie
    <charlietangouniformfoobar.com>, Mallory <timmygobbles.com>

    This can be cleaned up slightly by only having one entry per line, but that
    gets wasteful of space. While its true that this provides a moderately
    effective method for authenticating destinations(at least in this context),
    it's so much less succinct that it poses a distinct usability constraint.
    Since the job of software is to be usable, not necessarily secure, the
    impact of the security noise would probably be enough to prevent the
    deployment of the fix.

    Nobody applies a patch that breaks what works--guaranteed immediate damage
    is much more compelling than theoretical future damage.

    A couple people have questioned why not just reject all "true names" that
    contain an sign. For better or worse, having an in your name is not
    necessarily a sign of illegitimacy: A small but non ignorable minority of
    individuals tend to spell their names using an as a replacement for a.
    While not particularly my style, I don't think any of us can arbitrarily
    choose to reject the character when more than a few of us receive network
    links from Home and respect people at Stake.

    Perhaps a "true name" filter along the lines of **.TLD? I think that's
    pretty much what the user is interpreting as a differentiator between real
    names and email addresses.

    Yours Truly,

        Dan Kaminsky, CISSP
        Cisco Systems, Inc.
        http://www.doxpara.com