Gaspar Sinai wrote on 2002-02-06 00:47 UTC:
> Is Unicode secure? If it is not secure, can it be made secure?
"Is XYZ secure?" is almost always a naive question, especially if a
binary answer is expected.
The security of something can only be decided with repect to an exact
description of what sort of activities in a system are allowed or
prohibited. That's often called a "security policy". You haven't given
one yet. Unicode in itself certainly is neither secure nor insecure.
Applications can use Unicode in secure or insecure ways, and what that
means depends *very* much on the application in question.
Unicode (depending on the implementation level) is a relatively complex
technology and it is so new that only a tiny fraction of all software
engineers can claim significant experience in its use (readers of this
list excluded ;-). As such, Unicode is obviously a rich source of
potential pitfalls in the design of a security system. Just like VT100
terminals were and still are. We have discussed here many aspects of the
use of Unicode in security applications before, such as for example the
issue of overlong UTF-8 sequences, which were -- together with other
malformed multibyte sequences -- subsequently used for instance in the
NIMDA web worm to penetrate Microsoft's Internet Server.
More sensible questions would be
- What has to be considered in the specification and design of a
secure display component for a digital signature application when
the signed text is supposed to cover this given set of scripts?
- What has to be considered in the treatment of URLs by web servers
and paths by file systems when there are decoding-dependent operatings
performed, one of which can be Unicode?
- What has to be considered in the design of an input mask for a
database application that is supposed to cover this given set
of scripts?
You then will quickly recognize that even though Unicode is a very
useful element in the implementation of each of the mentioned
applications, the security issues related to character encodings are
usually far broader issues than just whether Unicode is "secure" or not,
and also very application specific.
Markus
--
Markus G. Kuhn, Computer Laboratory, University of Cambridge, UK
Email: mkuhn at acm.org, WWW: <http://www.cl.cam.ac.uk/~mgk25/>
--
Linux-UTF8: i18n of Linux on all levels
Archive: http://mail.nl.linux.org/linux-utf8/
