Date: Fri, 4 Nov 2016 08:27:43 +0100 (CET) From: Daniel Stenberg <daniel@...x.se> To: cve-assign@...re.org cc: robert@...oraproject.org, oss-security@...ts.openwall.com Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host On Fri, 4 Nov 2016, cve-assign@...re.org wrote: > In some situations, this would be a site-specific problem at a registry. > Although domain names can have a variety of uses of '-' characters, the > presence of a '-' as both the third character and the fourth character is > often recognized as a special case. Trying to specify xn--strae-oqa.de > directly when seeking a registration is very different from trying to > specify (for example) x--strae-oqa.de or xn-strae-oqa.de. DENIC alledgedly has rules that should prevent separate registrations like in the straße.de case. Still it seems that this particular host name is registered by two different entities unless there's some background juggling that we can't easily see from the outside. Those policies are obviously not flawless and now we end up in a sutiation where cients implementing different IDNA standards will end up on different servers. I suppose both can also get separate HTTPS certificates by simply using the puny encoded versions of their domain names when asking for them. In addition to the IDNA confusion, I also learned that libidn2 doesn't do the necessary checks so just switching to that as we did in the curl patch for the advisory we're discussing here, is an insuffucient and inferior fix for this problem. We need to a bigger take. One. Big. Mess. I've suggested curl users to simply *disable* IDN completely in their builds now until we get something better done. To reduce the risk. There's no schedule or plan yet for when "something better" might be ready. I'll admit my energy level for this crap is very low. -- / daniel.haxx.se
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ