> Novell Groupwise has similar problems with displaying the address book > "name" instead of the address (though Groupwise is *not* vulnerable to the > same attack that forces the spoofed entry into the address book). It would > be nice if these email systems would always display both the name and the > address. Perhaps use both different colors, and the familiar <> construct, > e.g. "myfriendat_private <attackerat_private>" the way > other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do. Good example of how user interface theory can be critical to resolving security concerns. Full name/address expansion works very badly when there's a decently sized list of people receiving emails; instead of a mailing list reading: Alice, Bob, Charlie, Mallory You have: Alice <aliceat_private>, Bob <bobat_private>, Charlie <charlietangouniformat_private>, Mallory <timmyat_private> This can be cleaned up slightly by only having one entry per line, but that gets wasteful of space. While its true that this provides a moderately effective method for authenticating destinations(at least in this context), it's so much less succinct that it poses a distinct usability constraint. Since the job of software is to be usable, not necessarily secure, the impact of the security noise would probably be enough to prevent the deployment of the fix. Nobody applies a patch that breaks what works--guaranteed immediate damage is much more compelling than theoretical future damage. A couple people have questioned why not just reject all "true names" that contain an @ sign. For better or worse, having an @ in your name is not necessarily a sign of illegitimacy: A small but non ignorable minority of individuals tend to spell their names using an @ as a replacement for a. While not particularly my style, I don't think any of us can arbitrarily choose to reject the character when more than a few of us receive network links from @Home and respect people at @Stake. Perhaps a "true name" filter along the lines of *@*.TLD? I think that's pretty much what the user is interpreting as a differentiator between real names and email addresses. Yours Truly, Dan Kaminsky, CISSP Cisco Systems, Inc. http://www.doxpara.com
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 10:18:40 PDT