Updated Unicode Security Specifications and Guidelines

From: <announcements_at_unicode.org>
Date: Fri, 26 Sep 2014 11:01:56 -0700

The major Unicode security-related specifications and guidelines have
been updated for Unicode 7.0. The security-related data files have
undergone a major revision to improve their algorithmic consistency, as
well as to take into account new information about confusable character
data. We strongly advise that implementations be updated to make use of
this new data. Pay particular attention to persistent data stores, such
as database indexes, that use strings folded with the previous version
of the data files. Mixing strings folded with new and old data files in
the same persistent store will likely cause failures. It may be
necessary to provide APIs for both old and new folding during a migration.

The guidelines have also been updated with descriptions of additional
security issues. In particular, it is now clear that display of Punycode
URLs as a security measure can, in some circumstances, actually make the
spoofing problem worse.

Punycode Spoofing Image

For details, see:

Unicode Security Considerations: http://unicode.org/reports/tr36/
Unicode Security Mechanisms: http://unicode.org/reports/tr39/

All of the Unicode Consortium lists are strictly opt-in lists for members
or interested users of our standards. We make every effort to remove
users who do not wish to receive e-mail from us. To see why you are getting
this mail and how to remove yourself from our lists if you want, please
see http://www.unicode.org/consortium/distlist.html#announcements
Received on Fri Sep 26 2014 - 13:11:46 CDT

This archive was generated by hypermail 2.2.0 : Fri Sep 26 2014 - 13:11:57 CDT