mailing list archives
Re: SECURITY.NNOV: Outlook Express address book spoofing
From: "Dan Kaminsky" <dankamin () cisco com>
Date: Wed, 6 Jun 2001 17:26:10 -0700
Novell Groupwise has similar problems with displaying the address book
"name" instead of the address (though Groupwise is *not* vulnerable to the
same attack that forces the spoofed entry into the address book). It would
be nice if these email systems would always display both the name and the
address. Perhaps use both different colors, and the familiar <> construct,
e.g. "myfriend () good example org <attacker () evil example net>" the way
other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.
Good example of how user interface theory can be critical to resolving
Full name/address expansion works very badly when there's a decently sized
list of people receiving emails; instead of a mailing list reading:
Alice, Bob, Charlie, Mallory
Alice <alice () foo com>, Bob <bob () bar com>, Charlie
<charlietangouniform () foobar com>, Mallory <timmy () gobbles com>
This can be cleaned up slightly by only having one entry per line, but that
gets wasteful of space. While its true that this provides a moderately
effective method for authenticating destinations(at least in this context),
it's so much less succinct that it poses a distinct usability constraint.
Since the job of software is to be usable, not necessarily secure, the
impact of the security noise would probably be enough to prevent the
deployment of the fix.
Nobody applies a patch that breaks what works--guaranteed immediate damage
is much more compelling than theoretical future damage.
A couple people have questioned why not just reject all "true names" that
contain an @ sign. For better or worse, having an @ in your name is not
necessarily a sign of illegitimacy: A small but non ignorable minority of
individuals tend to spell their names using an @ as a replacement for a.
While not particularly my style, I don't think any of us can arbitrarily
choose to reject the character when more than a few of us receive network
links from @Home and respect people at @Stake.
Perhaps a "true name" filter along the lines of * () * TLD? I think that's
pretty much what the user is interpreting as a differentiator between real
names and email addresses.
Dan Kaminsky, CISSP
Cisco Systems, Inc.