Re: Security Risks of Unicode

From: Michael \(michka\) Kaplan (
Date: Sun Jul 16 2000 - 20:02:16 EDT

The power of Unicode to unintentionally pass control codes to systems that
are not expecting Unicode text, or even the ability of some known "evil
hacker type" to do it intentionally is NOT more powerful than said
program/hacker's ability to knowingly pass control codes in a targeted
attempt to hurt security.

By its very nature, an application or parser that is designed to accept
UTF-8 can accept just about anything. In that way, it is actually in its own
way safer than systems that have ranges reserved for control codes (note the
C1 discussion had to do with passing UTF-8 to systems that were not
expecting it, NOT the other way around).

So I do not see any security issue here that did not already exist, and for
those that implement Unicode solutions I see a few security risks go away.

As to the security issues related to systems that not expect Unicode being
fed it, I can't see that as a fault of Unicode. That is a security issue
with the old systems that existed even before Unicode existed....


----- Original Message -----
From: "Elliotte Rusty Harold" <>
To: "Unicode List" <>
Cc: <>
Sent: Sunday, July 16, 2000 5:22 AM
Subject: Security Risks of Unicode

> Bruce Schneier expresses some concerns about "Security Risks of
> Unicode" in the latest issue of his Cryptogram newsletter. Thoser who
> don't subscribe can see:
> At this point the concerns are mostly theoretical. Nonetheless I
> think they're reasonable, especially when you consider the recent
> discussions here about C1 control characters and the unintended
> consequences of these characters. Throw XML/Unicode encoded
> application protocols like SOAP and XML-RPC into the mix and who
> knows what can happen? Which is pretty much Schneier's point.
> Anyway, I'm curious to know what other Unicodists think about the
> potential security implications Schneier raises. I'm not sure if he
> subscribes to this list (,
> or not so I
> cc'd him so he can participate as well.
> +-----------------------+------------------------+-------------------+
> | Elliotte Rusty Harold | | Writer/Programmer |
> +-----------------------+------------------------+-------------------+
> | The XML Bible (IDG Books, 1999) |
> | |
> | |
> +----------------------------------+---------------------------------+
> | Read Cafe au Lait for Java news: |
> | Read Cafe con Leche for XML news: |
> +----------------------------------+---------------------------------+

This archive was generated by hypermail 2.1.2 : Tue Jul 10 2001 - 17:21:05 EDT