Thursday, September 25, 2014

Updated Unicode Security Specifications and Guidelines

The major Unicode security-related specifications and guidelines have been updated for Unicode 7.0. The security-related data files have undergone a major revision to improve their algorithmic consistency, as well as to take into account new information about confusable character data. We strongly advise that implementations be updated to make use of this new data. Pay particular attention to persistent data stores, such as database indexes, that use strings folded with the previous version of the data files. Mixing strings folded with new and old data files in the same persistent store will likely cause failures. It may be necessary to provide APIs for both old and new folding during a migration.

The guidelines have also been updated with descriptions of additional security issues. In particular, it is now clear that display of Punycode URLs as a security measure can, in some circumstances, actually make the spoofing problem worse.

Punycode Spoofing Image

For details, see:

Unicode Security Considerations: http://unicode.org/reports/tr36/
Unicode Security Mechanisms: http://unicode.org/reports/tr39/