Bugtraq mailing list archives
Re: SECURITY.NNOV: Outlook Express address book spoofing
From: "Dan Kaminsky" <dankamin () cisco com>
Date: Wed, 6 Jun 2001 17:26:10 -0700
Novell Groupwise has similar problems with displaying the address book "name" instead of the address (though Groupwise is *not* vulnerable to the same attack that forces the spoofed entry into the address book). It would be nice if these email systems would always display both the name and the address. Perhaps use both different colors, and the familiar <> construct, e.g. "myfriend () good example org <attacker () evil example net>" the way other packages like Netscape Messenger, Mozilla Mail, Pine, and Mutt do.
Good example of how user interface theory can be critical to resolving security concerns. Full name/address expansion works very badly when there's a decently sized list of people receiving emails; instead of a mailing list reading: Alice, Bob, Charlie, Mallory You have: Alice <alice () foo com>, Bob <bob () bar com>, Charlie <charlietangouniform () foobar com>, Mallory <timmy () gobbles com> This can be cleaned up slightly by only having one entry per line, but that gets wasteful of space. While its true that this provides a moderately effective method for authenticating destinations(at least in this context), it's so much less succinct that it poses a distinct usability constraint. Since the job of software is to be usable, not necessarily secure, the impact of the security noise would probably be enough to prevent the deployment of the fix. Nobody applies a patch that breaks what works--guaranteed immediate damage is much more compelling than theoretical future damage. A couple people have questioned why not just reject all "true names" that contain an @ sign. For better or worse, having an @ in your name is not necessarily a sign of illegitimacy: A small but non ignorable minority of individuals tend to spell their names using an @ as a replacement for a. While not particularly my style, I don't think any of us can arbitrarily choose to reject the character when more than a few of us receive network links from @Home and respect people at @Stake. Perhaps a "true name" filter along the lines of *@*.TLD? I think that's pretty much what the user is interpreting as a differentiator between real names and email addresses. Yours Truly, Dan Kaminsky, CISSP Cisco Systems, Inc. http://www.doxpara.com
Current thread:
- SECURITY.NNOV: Outlook Express address book spoofing 3APA3A (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 07)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Kee Hinckley (Jun 08)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Peter W (Jun 05)
- Re: SECURITY.NNOV: Outlook Express address book spoofing Dan Kaminsky (Jun 05)
- <Possible follow-ups>
- RE: SECURITY.NNOV: Outlook Express address book spoofing Otto . Dandenell (Jun 08)
- RE: SECURITY.NNOV: Outlook Express address book spoofing David F. Skoll (Jun 10)
- RE: SECURITY.NNOV: Outlook Express address book spoofing Matt Priestley (Jun 12)