[cabfpub] ICU library patch for Unicode spoof checks
Hill, Brad
bhill at paypal-inc.com
Thu Mar 28 09:09:58 MST 2013
Download v. 51.1 at:
http://site.icu-project.org/download
Binary distributions are available for many platforms.
C API documentation is at: http://icu-project.org/apiref/icu4c/
Java API documentation at: http://icu-project.org/apiref/icu4j/
Just do a search for "Spoof"
-Brad
From: Rick Andrews [mailto:Rick_Andrews at symantec.com]
Sent: Wednesday, March 27, 2013 6:01 PM
To: Hill, Brad; public at cabforum.org
Subject: RE: ICU library patch for Unicode spoof checks
Brad,
I believe the competing patch is this one: http://bugs.icu-project.org/trac/ticket/9440
Can you point me toward info on how to checkout and build the library, and where SpoofChecker is documented?
-Rick
From: public-bounces at cabforum.org<mailto:public-bounces at cabforum.org> [mailto:public-bounces at cabforum.org] On Behalf Of Hill, Brad
Sent: Thursday, March 07, 2013 9:09 AM
To: public at cabforum.org<mailto:public at cabforum.org>
Subject: [cabfpub] ICU library patch for Unicode spoof checks
Should be available in v51.1, http://bugs.icu-project.org/trac/milestone/51.1%20(release)
http://bugs.icu-project.org/trac/ticket/7645
They accepted a "competing" patch submitted by Google as theirs also included C++ code, but theirs didn't include the bidirectional text requirement.
That is extremely simple to implement by simply forbidding the following code points (punycode encoded or native) in hostnames:
LRE: U+202A
RLE: U+202B
PDF: U+202C
LRO: U+202D
RLO: U+202E
Brad Hill
Ecosystem Security
PayPal Information Risk Management
cell: 206.245.7844
skype/twitter: hillbrad
email: bhill at paypal-inc.com<mailto:bhill at paypal-inc.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20130328/660eb582/attachment-0001.html
More information about the Public
mailing list