Lab Notes

The Unicode Consortium has begun to address security issues with unicode character encoding and display. This comes on the heels of the IDN security breach that allows attackers to spoof legitimate web sites like PayPal.

The IDN spoofing attack is based on the fact that there are Unicode characters that, when rendered by the browser, appear to be other characters (the IDN proof of concept used "www.paypal.com" with the first 'a' being a Cyrillic letter that appears as a Roman 'a' in many fonts). The Unicode Consortium is also addressing long-known problems with encoding UTF-8. With UTF-8, there are multiple ways to encode the same information. If the decoding application isn't careful (and it can be difficult — Unicode encoding and decoding is notoriously arcane), subtle securlty flaws can be introduced.

The work is just in the specification phase, and the recommendations are already being implemented by software vendors. The IETF has been mandating UTF-8 support for years now, so it is very widely deployed. It will be a while before even a majority of software vendors have implemented the full range of fixes.