[cabfpub] Implementation of UTR-36 confusable text security considerations.

Hill, Brad bhill at paypal-inc.com
Fri Aug 24 23:53:37 UTC 2012 

You can use SpoofChecker.failsChecks() on a single identifier with MIXED_SCRIPT_CONFUSABLE and INVISIBLE checks to get much of the desired behavior - you don't have to compare two identifiers.

The library is open source, so producing a derivative to match the specific requirement shouldn't be hard.  I'll volunteer to do the Java version.

-Brad

From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Friday, August 24, 2012 4:32 PM
To: Hill, Brad; public at cabforum.org
Subject: RE: [cabfpub] Implementation of UTR-36 confusable text security considerations.

Brad,

This helps, somewhat, but falls short in that it doesn't provide code for all the checks in Bruce's proposal document. And although the class contains a method to check if two strings are confusable, we're left wondering how we are to use that method. Clearly, the first string will be a U-label from the FQDN that the subscriber is enrolling for, but what's the other? Would we have to check each U-label against each string from the Alexa One Million? Or compare the U-label to every domain name in our db? It doesn't seem like a practical solution.

-Rick

From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org]<mailto:[mailto:public-bounces at cabforum.org]> On Behalf Of Hill, Brad
Sent: Thursday, August 23, 2012 11:30 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] Implementation of UTR-36 confusable text security considerations.

In response to questions on today's call about implementations about the confusable Unicode restrictions suggested for inclusion in BR 1.1, I can suggest the International Components for Unicode library:

http://site.icu-project.org/

And, specifically, the SpoofChecker class:

http://icu-project.org/apiref/icu4j/com/ibm/icu/text/SpoofChecker.html

And uspoof.h

http://icu-project.org/apiref/icu4c/uspoof_8h.html

This doesn't forbid the Left To Right Override character that I can tell from simple examination, but that's an easy check to add with a regex or character search.

Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844
skype/twitter: hillbrad
email: bhill at paypal-inc.com<mailto:bhill at paypal-inc.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20120824/6067266a/attachment-0004.html>

More information about the Public mailing list