Unicode Security

about | archive

[ 2005-February-15 13:24 ]

Recently, a security vulnerability for internationalized domain names (IDN) was published (again). The problem is that some characters with different code points can look the same in some fonts. These characters are called homographs. Since web browsers are beginning to support IDN, you can now construct URLs with these characters. The original example used "pаypal.com" where the second character is actually CYRILLIC SMALL LETTER A (0x430 = а), not LATIN SMALL LETTER A (0x61 = a). The author of the vulnerability suggests disabling IDN, but this is not a practical solution for the majority of people on the planet whose languages do not use Latin characters. One of the authors of the IDN specification published a much better solution to the IDN vulnerability which visually highlights the scripts used in the URL to the user. I'm not convinced that this is the best solution, but it is a step in the right direction. This issue is a great example of how important user interface design is to computer security. He also points to Security Considerations for the Implementation of Unicode which has a good discussion of this issue and other Unicode security issues. It is worth a look for the paranoid and the Unicode experts in the crowd.