[Owasp-leaders] Fwd: Updated Unicode Security Specifications and Guidelines

Bev Corwin bev.corwin at owasp.org
Fri Sep 26 19:05:04 UTC 2014


FYI:

---------- Forwarded message ----------
From: Bev Corwin <bevcorwin at gmail.com>
Date: Fri, Sep 26, 2014 at 3:04 PM
Subject: Fwd: Updated Unicode Security Specifications and Guidelines
To: Bev Corwin <bev.corwin at owasp.org>



---------- Forwarded message ----------
From: <announcements at unicode.org>
Date: Fri, Sep 26, 2014 at 2:01 PM
Subject: Updated Unicode Security Specifications and Guidelines
To: announcements at unicode.org


    The major Unicode security-related specifications and guidelines have
been updated for Unicode 7.0. The security-related data files have
undergone a major revision to improve their algorithmic consistency, as
well as to take into account new information about confusable character
data. We strongly advise that implementations be updated to make use of
this new data. Pay particular attention to persistent data stores, such as
database indexes, that use strings folded with the previous version of the
data files. Mixing strings folded with new and old data files in the same
persistent store will likely cause failures. It may be necessary to provide
APIs for both old and new folding during a migration.

The guidelines have also been updated with descriptions of additional
security issues. In particular, it is now clear that display of Punycode
URLs as a security measure can, in some circumstances, actually make the
spoofing problem worse.

 [image: Punycode Spoofing Image]
<http://www.unicode.org/announcements/tn-punycode-spoofing.png>

For details, see:

Unicode Security Considerations: http://unicode.org/reports/tr36/
<http://www.unicode.org/reports/tr36/>
Unicode Security Mechanisms: http://unicode.org/reports/tr39/
<http://www.unicode.org/reports/tr39/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140926/f12ebdbf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tn-punycode-spoofing.png
Type: image/png
Size: 46501 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140926/f12ebdbf/attachment-0001.png>


More information about the OWASP-Leaders mailing list