Ignoring a problem does not make it go away....

by Michael S. Kaplan, published on 2006/02/16 09:10 -05:00, original URI: http://blogs.msdn.com/b/michkap/archive/2006/02/16/533226.aspx

Yesterday, when I posted Every character has a story #19: U+200c and U+200d (ZERO WIDTH [NON] JOINER), I got an interesting comment from Yosuke HASEGAWA:

Using ZERO WIDTH (NON) JOINER or ZWNBSP(BOM) to filename or registory key and values, you can create several files that appearance is the same name.

This may cause visual problems in security domain. So I hope to disable using Unicode control characters for filename in Windows.
Of course, Bidi control characters such as "RLO" too.

Anyone who feels that way really needs to look at the two Unicode Technical Reports I mentioned:

UTR #36: Unicode Security Considerations
UTR #39: Unicode Security Mechanisms

It is not merely a matter of invalidating some characters, as these UTRs make perfectly clear....

Add to that the legacy issue and the whole Uppercase and Binary world of the Microsoft Windows namespace and you are left with a very difficult problem -- one that is not really solved by disallowing a few characters since security problems on a local machine are not generally caused by confusable characters!

And that gets even more complicated when there are core strings that need to be used which, if they were not allowed would cause significant linguistic and political issues (as I pointed out yesterday).

Now with that said:

The most recent Unicode Technical Committee meeting was last week, and we spent over a day of our four days working on various security topics raised in StringPrep, International Domain Names, and more;
the first author listed on both of those reports is Michel Suignard, a Microsoft employee who is actually on the GIFT team. This is an area in which we are clearly interested and are trying to help define how to help mitigate these problems on a the very wide scale of the entire internet;
This issue has a prominent place in one of my presentations at the 29th Internationalization and Unicode Conference (the one entitled Tales of Incorrect String Comparisons).

So nobody is ignoring the fact that there is a problem here, a problem that must not be ignored.

But nobody in Microsoft is planning on making a few cosmetic changes and calling themselves secure afterward, either. If you know what I mean....

This post brought to you by "ɢ" (U+0262, LATIN LETTER SMALL CAPITAL G)

no comments

Please consider a donation to keep this archive running, maintained and free of advertising.
Donate €20 or more to receive an offline copy of the whole archive including all images.

referenced by

2006/03/05 Will I C U at the IUC?

go to newer or older post, or back to index or month or day