>On Thu, Feb 07, 2002 at 10:34:20AM -0500, Elliotte Rusty Harold wrote:
>Unicode is a character encoding, not a glyph encoding. Furthermore, it's >a superset of a number of preexisting character sets, so that it was >possible for those users to move to Unicode without problems. Since >important preexisting character sets seperated Greek, Cyrillic and Latin >scripts, Unicode had to. Had Unicode not chosen to follow these >principles, ISO 10646 would have, and it would have become the dominant >character set, with the same problems. > I know why these choices were made. That has nothing to do with the question of whether the finished product will or will not cause security breaches. >In any case, what is your solution? When the American Mathematical >Society says "We need a SMALL CIRCLE for the mathematical texts", do you >say "no, we already have the unified LATGRKCRY SMALL O"? After they show >you that the two are distinct characters in their texts, do you still >refuse because "someone might get confused"? The Universal Character Set >can't afford to not encode characters like that. > I'm not sure Unicode can be fixed at this point. The flaws may be too deeply embedded. The real solution may involve waiting until companies and people start losing significant amounts of money as a result of the flaws in Unicode, and then throwing it away and replacing it with something else. I don't like that solution, but not liking it doesn't mean it ain't gonna happen as soon as Exxon loses a few billion dollars because somebody spoofed them and thereby gained access to their bidding plans for oil leases. Don't be surprised when some large companies start issuing memos forbidding the use of Unicode, or blocking all non-ASCII domain names at their firewall. One possible solution at the domain name system level might be to limit domain names to a single Unicode block or group. For instance, Greek domain names could be allowed but not domain names that mix Greek with Latin. Similarly, you couldn't mix Latin with Cyrillic or Cyrillic with Greek. That would at least vastly reduce the possibility for domain spoofing, if not eliminate it entirely. Interesting tidbit: app1e.com (not APPLE.COM but APP1E.COM) is in fact already registered. This attack may not be as theoretical as I initially thought. -- +-----------------------+------------------------+-------------------+ | Elliotte Rusty Harold | [EMAIL PROTECTED] | Writer/Programmer | +-----------------------+------------------------+-------------------+ | The XML Bible, 2nd Edition (Hungry Minds, 2001) | | http://www.ibiblio.org/xml/books/bible2/ | | http://www.amazon.com/exec/obidos/ISBN=0764547607/cafeaulaitA/ | +----------------------------------+---------------------------------+ | Read Cafe au Lait for Java News: http://www.cafeaulait.org/ | | Read Cafe con Leche for XML News: http://www.ibiblio.org/xml/ | +----------------------------------+---------------------------------+
