Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Nov 2016 12:48:55 +0100
From: Robert Scheck <robert@...oraproject.org>
To: Daniel Stenberg <daniel@...x.se>
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

On Fri, 04 Nov 2016, Daniel Stenberg wrote:
> DENIC alledgedly has rules that should prevent separate registrations like
> in the straße.de case. Still it seems that this particular host name is
> registered by two different entities unless there's some background juggling
> that we can't easily see from the outside.

It is possible (and also allowed by the DENIC), that e.g. "straße.de" and
"strasse.de" have two different domain owners. I performed at least one
registration for a customer for a "ß"-domain after the "ß" sunrise period
was over, where the "ß"-domain owner is not the owner of the corresponding
"ss"-domain. Not sure which rules you refer to, but except the "ß"-sunrise
period in 2010, I'm able to register "ß"-domains on first come, first serve
basis at DENIC.

The DENIC FAQ (https://www.denic.de/en/faqs/faqs-about-idns-ss/) mentions
also that e.g. "mueller.de" and "müller.de" are two completely different
domain names (even "ue" is the German transcription of "ü") - and here the
argumentation is, that "bauer.de" is not the same like "baür.de" (which is
from the non-technical perspective of a German native speaker obviously
true). From my understanding, the argumentation here is non-IDNA mueller.de
vs. IDNA2003 müller.de, while now it is IDNA2003 strasse.de vs. IDNA2008
straße.de - which might be slightly different, because it's a switch of the
IDNA version rather the introduction.

For those who didn't notice, Florian also started a German thread on the
public DENIC mailing list (https://www.denic.de/en/service/mailing-lists/)
about exactly this topic (I'm not sure if there is a public archive).


Greetings,
  Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ